[Catalog-sig] A modest proposal for securing PyPI with TUF

Trishank Karthik Kuppusamy tk47 at students.poly.edu
Thu Mar 14 06:47:17 CET 2013

On 3/13/13 9:19 PM, Daniel Holth wrote:
> Thanks, yes. The individual .tar.gz distributions do contain PKG-INFO
> but we would eventually like to expose it in a more efficient way.
> Then to be suitably paranoid you would also have to check that it
> matched the package you downloaded! :(

Great, glad we could help. Well, at least the paranoid would just need 
an extra download :))

> Also note that on http://crate.io the simple index works the same way
> as on pypi, except that the actual packages are on a different (CDN)
> host.

Got it. I'll take a look at crate.io to see how it works. Conceivably, 
the TUF metadata and the PyPI files could live in separate locations 
altogether and we would just have to check that the TUF metadata matches 
the PyPI files.

More information about the Catalog-SIG mailing list