[Distutils] Status report on PyPI+pip+TUF
holger krekel
holger at merlinux.eu
Thu Aug 1 23:02:45 CEST 2013
Hi Trishank,
On Wed, Jul 31, 2013 at 10:02 -0400, Trishank Karthik Kuppusamy wrote:
> Hello Holger,
>
> On 07/31/2013 08:13 AM, holger krekel wrote:
> >thanks for the high level overview. Do you have a current web page with
> >more detailed technical info with respect to PyPI/TUF?
>
> Good question! I think it is a good idea to put up a "PyPI+pip+TUF
> current status" page on our web site, but in the meantime, here are
> a few links which should point you in the right direction:
>
> 1. pip+TUF: we use the interposition technique [https://github.com/theupdateframework/tuf/tree/master/tuf/interposition]
> to minimally modify pip
> [https://github.com/theupdateframework/pip/compare/tuf] to talk to a
> TUF-secured PyPI mirror.
>
> 2. PyPI+TUF: we use automation to build a testbed for investigating
> different key management and metadata schemes to secure PyPI
> [https://github.com/theupdateframework/pypi.updateframework.com].
> (Note: at the time of writing, the automation is slightly
> out-of-date with our work-in-progress.)
>
> 3. These two links should give you a good picture, but they will not
> give you a complete one. We will formally write about what we mean
> with our upcoming key management as well as metadata generation and
> download scheme. Let me start a document and get back to you on
> that.
thanks for the links. They contain code instructions but i am
not sure i get the overall picture yet. Do you have a whitepaper
or overview describing the approach wrt to PyPI?
If i understand the code correctly, you are implementing key
signing, verification and revocation through calling openssl library
functions. Have you considered just invoking or interfacing with "gpg"?
On a minor note, for creating a pypi mirror it's better to use
bandersnatch instead of pep381 (i am refering to this here:
https://github.com/theupdateframework/pip/wiki/PyPI-over-TUF#mirror-pypi )
Lastly, maybe the advertisement that "TUF is like the 'S' in HTTPS"
is not really a good advertisement given the several currently discussed
problems with HTTPS, the most recent one being the BREACH attack:
http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/
:)
cheers,
holger
> Thanks,
> Trishank
>
More information about the Distutils-SIG
mailing list