[Catalog-sig] A modest proposal for securing PyPI with TUF
Trishank Karthik Kuppusamy
tk47 at students.poly.edu
Thu Mar 14 01:11:04 CET 2013
On 03/13/2013 02:15 PM, Daniel Holth wrote:
> With all the different kinds of metadata, It's interesting to note
> that currently TUF seems to only be concerned with the available file
> names and their integrity. (Some of us will think of PEP 426
> "PKG-INFO" first when we hear the word metadata.)
Yes, you are right that the many different kinds of metadata in this
discussion (TUF metadata, PyPI metadata) makes things a little confusing
My understanding of PEP 426 is that the distribution metadata is
specified by the developer with the setup.py script.
To take the running Django example, since the Django developers will
sign everything under the Django role with their own keys that the D
role will talk about, setup.py, as well as the generated "PKG-INFO",
will be signed by the Django developers. This means that pip + TUF will
be able to verify these distribution metadata indirectly via the source
Does this answer your question?
> It looks like the D metadata lists all the filenames for Django, and
> then Django lists them again with hashes and signatures. Why all the
> lists? Does every Django release re-assert all the versions of Django
> that are available on the index?
Good observation. For D, you are talking about the "paths" attribute here:
For Django, you are talking about the "targets" attribute here:
Why is "paths" in D listing all the "targets" that Django already talks
about? Presently, this is because our target delegation tool
(signercli.py) is being paranoid and making sure that D is explicitly
delegating only targets matching these "paths".
However, the TUF specification allows for D to simply say, "I delegate
any target whatsoever under Django", by settings "paths" to
> How might I deal with producing the official source distribution
> myself and having a friend produce the official Windows build of a
There are a few solutions. You could have your friend produce the
official Windows build for a package, and then you could sign it,
implicitly trusting your friend but not publishing that trust.
A more secure solution would have you delegate that target to your friend.
> As an aside PyPI has been doubling in size every 1.5 - 2 years.
Exponential growth strikes again! We have anticipated this, and we have
a few solutions to curb the growth of TUF metadata. Since TUF metadata
is simply text, GZIP compression would go a long way. Alternatively, we
could implement delta updates of TUF metadata.
The more difficult problem is how to ensure that target delegation
structure scales with PyPI growth. A good design will keep this in mind
and plan accordingly.
Speaking of which, it may be the case that our design document for
integrating PyPI with TUF may not be terribly easy to understand. (After
all, you do need to understand TUF first, but TUF is fairly easy once
you understand its main ideas.) I plan to publish a friendlier document
which introduce TUF at a very high-level and instead discuss more
pragmatic issues (such as workflows).
More information about the Catalog-SIG