[Distutils] Status report on PyPI+pip+TUF
Trishank Karthik Kuppusamy
tk47 at students.poly.edu
Wed Jul 31 16:02:48 CEST 2013
Hello Holger,
On 07/31/2013 08:13 AM, holger krekel wrote:
> thanks for the high level overview. Do you have a current web page with
> more detailed technical info with respect to PyPI/TUF?
Good question! I think it is a good idea to put up a "PyPI+pip+TUF
current status" page on our web site, but in the meantime, here are a
few links which should point you in the right direction:
1. pip+TUF: we use the interposition technique
[https://github.com/theupdateframework/tuf/tree/master/tuf/interposition] to
minimally modify pip
[https://github.com/theupdateframework/pip/compare/tuf] to talk to a
TUF-secured PyPI mirror.
2. PyPI+TUF: we use automation to build a testbed for investigating
different key management and metadata schemes to secure PyPI
[https://github.com/theupdateframework/pypi.updateframework.com]. (Note:
at the time of writing, the automation is slightly out-of-date with our
work-in-progress.)
3. These two links should give you a good picture, but they will not
give you a complete one. We will formally write about what we mean with
our upcoming key management as well as metadata generation and download
scheme. Let me start a document and get back to you on that.
Thanks,
Trishank
More information about the Distutils-SIG
mailing list