[Distutils] Status report on PyPI+pip+TUF

Trishank Karthik Kuppusamy tk47 at students.poly.edu
Wed Jul 31 16:02:48 CEST 2013

Hello Holger,

On 07/31/2013 08:13 AM, holger krekel wrote:
> thanks for the high level overview.  Do you have a current web page with
> more detailed technical info with respect to PyPI/TUF?

Good question! I think it is a good idea to put up a "PyPI+pip+TUF 
current status" page on our web site, but in the meantime, here are a 
few links which should point you in the right direction:

1. pip+TUF: we use the interposition technique 
[https://github.com/theupdateframework/tuf/tree/master/tuf/interposition] to 
minimally modify pip 
[https://github.com/theupdateframework/pip/compare/tuf] to talk to a 
TUF-secured PyPI mirror.

2. PyPI+TUF: we use automation to build a testbed for investigating 
different key management and metadata schemes to secure PyPI 
[https://github.com/theupdateframework/pypi.updateframework.com]. (Note: 
at the time of writing, the automation is slightly out-of-date with our 

3. These two links should give you a good picture, but they will not 
give you a complete one. We will formally write about what we mean with 
our upcoming key management as well as metadata generation and download 
scheme. Let me start a document and get back to you on that.


More information about the Distutils-SIG mailing list