[Distutils] Status report on PyPI+pip+TUF

Trishank Karthik Kuppusamy tk47 at students.poly.edu
Fri Aug 2 02:42:04 CEST 2013

On 08/01/2013 05:02 PM, holger krekel wrote:
> thanks for the links.  They contain code instructions but i am
> not sure i get the overall picture yet.  Do you have a whitepaper
> or overview describing the approach wrt to PyPI?

We do, but it is not up-to-date with our latest thoughts. We will 
rectify this soon enough:


> If i understand the code correctly, you are implementing key
> signing, verification and revocation through calling openssl library
> functions.  Have you considered just invoking or interfacing with "gpg"?

Yes, that is an option we could decide to implement, along with other 
cryptography libraries. I think we chose to start with interfacing with 
OpenSSL because it is generic, time-tested to be secure and available on 
many platforms. TUF does not need to exclusively depend on either 
OpenSSL, GPG or anything else: we can extend it to use what is available.

> On a minor note, for creating a pypi mirror it's better to use
> bandersnatch instead of pep381 (i am refering to this here:
> https://github.com/theupdateframework/pip/wiki/PyPI-over-TUF#mirror-pypi )

Thanks for the tip. Indeed, we do use bandersnatch 
That wiki entry points to an old set of instructions that we will remove 

> Lastly, maybe the advertisement that "TUF is like the 'S' in HTTPS"
> is not really a good advertisement given the several currently discussed
> problems with HTTPS, the most recent one being the BREACH attack:
> http://arstechnica.com/security/2013/08/gone-in-30-seconds-new-attack-plucks-secrets-from-https-protected-pages/

I see what you are saying, but I do not think that it follows that TUF 
works like SSL :) Perhaps we can think of a better metaphor, but the 
idea we wanted to convey is that TUF is like a plug-in you simply drop 
into your software update system, and voilà, you get security for 
relatively little work.

Let us know if you have more questions. In the meantime, we are busy 
designing our key management scheme for PyPI+TUF (which I think would 
highly interest you), so please bear with us while we hammer that out 
over this week.

More information about the Distutils-SIG mailing list