[Catalog-sig] PyPI/pip security: waiting for input

Justin Cappos jcappos at poly.edu
Mon Mar 11 15:33:42 CET 2013

Yep, we have the doc mostly together and are finishing it up / polishing

We'll have something to you soon.   We have a lightning talk set up at
PyCon and will post all then at the latest.   We do want to announce /
share before then though.


On Mon, Mar 11, 2013 at 10:31 AM, Giovanni Bajo <rasky at develer.com> wrote:

> Il giorno 11/mar/2013, alle ore 15:17, Justin Cappos <jcappos at poly.edu>
> ha scritto:
> Yes, we're finishing this up now.   We have a working demo with TUF
> signing PyPI metadata and pip (integrated with TUF) correctly checking
> signatures, etc.
> Trishank: when do you plan to share this?   Does Kon still have some
> integration tests to write to show we meet the use cases from Giovanni's
> document?
> While the code is great, I'm mainly concerned with documenting the
> workflow and making sure it matches the proposed requirements: how to
> create a key, how to revoke it, how to use an offline list of authorized
> keys for installation of packages, etc.
> As I mentioned before, my proposal would only take me a few days to
> prototype (repeating this in case someone thinks that my proposal requires
> millions of man hours for any reason); I held it off waiting for a
> discussion with you.
> Relink to my proposal:
> https://docs.google.com/a/develer.com/document/d/1DgQdDCZY5LiTY5mvfxVVE4MTWiaqIGccK3QCUI8np4k/edit
> --
> Giovanni Bajo   ::  rasky at develer.com
> Develer S.r.l.  ::  http://www.develer.com
> My Blog: http://giovanni.bajo.it
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130311/39779c15/attachment-0001.html>

More information about the Catalog-SIG mailing list