[Catalog-sig] PyPI/pip security: waiting for input

Daniel Holth dholth at gmail.com
Mon Mar 11 15:52:46 CET 2013

Super impressed after reading all the TUF papers and comparing it to
my own feeble proposal, they had addressed a whole bevy of problems
that I hadn't even thought of - infinite-length download attacks,
server-asserted timestamps, quorum signatures, sophisticated trust
delegation, consistency of all the metadata all the time ...

More information about the Catalog-SIG mailing list