[Distutils] Realistic PyPI, pip and TUF demo

Trishank Karthik Kuppusamy tk47 at students.poly.edu
Thu Aug 15 05:57:18 CEST 2013

Hello everyone,

We now have a demonstration of pip that securely and efficiently 
downloads with TUF any package from a PyPI mirror:


We hope that you will try our demonstration with your favourite packages 
and tell us about any issue that you find.

TUF does not yet work on Microsoft Windows and Apple OS X. This is 
because it depends for cryptography on a custom Python library (evpy) 
which binds with OpenSSL. We are planning to fix this by moving to the 
cross-platform Mozilla Network Security Services (NSS) library.

We also welcome your thoughts on features and enhancements that you 
would like to see.

Our next demo will show security flaws in package managers such as pip 
that do not use TUF. We will then see how pip with TUF addresses those 
security attacks.

-The TUF team

More information about the Distutils-SIG mailing list