[Distutils] Status report on PyPI+pip+TUF
Trishank Karthik Kuppusamy
tk47 at students.poly.edu
Wed Jul 31 16:02:48 CEST 2013
On 07/31/2013 08:13 AM, holger krekel wrote:
> thanks for the high level overview. Do you have a current web page with
> more detailed technical info with respect to PyPI/TUF?
Good question! I think it is a good idea to put up a "PyPI+pip+TUF
current status" page on our web site, but in the meantime, here are a
few links which should point you in the right direction:
1. pip+TUF: we use the interposition technique
minimally modify pip
[https://github.com/theupdateframework/pip/compare/tuf] to talk to a
TUF-secured PyPI mirror.
2. PyPI+TUF: we use automation to build a testbed for investigating
different key management and metadata schemes to secure PyPI
at the time of writing, the automation is slightly out-of-date with our
3. These two links should give you a good picture, but they will not
give you a complete one. We will formally write about what we mean with
our upcoming key management as well as metadata generation and download
scheme. Let me start a document and get back to you on that.
More information about the Distutils-SIG