[Distutils] Status report on PyPI+pip+TUF
Trishank Karthik Kuppusamy
tk47 at students.poly.edu
Fri Aug 2 02:42:04 CEST 2013
On 08/01/2013 05:02 PM, holger krekel wrote:
> thanks for the links. They contain code instructions but i am
> not sure i get the overall picture yet. Do you have a whitepaper
> or overview describing the approach wrt to PyPI?
We do, but it is not up-to-date with our latest thoughts. We will
rectify this soon enough:
https://docs.google.com/document/d/1sHMhgrGXNCvBZdmjVJzuoN5uMaUAUDWBmn3jo7vxjjw/edit
> If i understand the code correctly, you are implementing key
> signing, verification and revocation through calling openssl library
> functions. Have you considered just invoking or interfacing with "gpg"?
Yes, that is an option we could decide to implement, along with other
cryptography libraries. I think we chose to start with interfacing with
OpenSSL because it is generic, time-tested to be secure and available on
many platforms. TUF does not need to exclusively depend on either
OpenSSL, GPG or anything else: we can extend it to use what is available.
> On a minor note, for creating a pypi mirror it's better to use
> bandersnatch instead of pep381 (i am refering to this here:
> https://github.com/theupdateframework/pip/wiki/PyPI-over-TUF#mirror-pypi )
Thanks for the tip. Indeed, we do use bandersnatch
[https://github.com/theupdateframework/pypi.updateframework.com/blob/master/setup2.sh#L19].
That wiki entry points to an old set of instructions that we will remove
soon.
> Lastly, maybe the advertisement that "TUF is like the 'S' in HTTPS"
> is not really a good advertisement given the several currently discussed
> problems with HTTPS, the most recent one being the BREACH attack:
> http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/
>
I see what you are saying, but I do not think that it follows that TUF
works like SSL :) Perhaps we can think of a better metaphor, but the
idea we wanted to convey is that TUF is like a plug-in you simply drop
into your software update system, and voilà, you get security for
relatively little work.
Let us know if you have more questions. In the meantime, we are busy
designing our key management scheme for PyPI+TUF (which I think would
highly interest you), so please bear with us while we hammer that out
over this week.
More information about the Distutils-SIG
mailing list