[Distutils] Testing pip security without and with TUF

Trishank Karthik Kuppusamy tk47 at students.poly.edu
Sat Sep 21 23:14:15 CEST 2013


Hello everyone,

Recently, we tested how pip would respond, without and with TUF,
to attacks on PyPI:
https://github.com/theupdateframework/pip/wiki/Test-pip-security-without-and-with-TUF

TUF now uses the portable PyCrypto cryptography library, though we are
watching cryptography-dev with great interest. In our internal tests,
pip-with-TUF works on Microsoft Windows 7-8 32/64 bit,
Apple OS X (10.7-10.8), and Debian/Ubuntu GNU/Linux 32/64 bit.

We also have integration tests where we show TUF protecting against other
kinds of attacks:
https://github.com/theupdateframework/tuf/tree/develop/tests/integration

Previously, we demonstrated that we could efficiently secure PyPI with
TUF metadata:
https://mail.python.org/pipermail/distutils-sig/2013-August/022276.html

*** We need your guidance here! ***
  
Our next step is to integrate TUF with the PyPI server itself to see how
everything would work in production. This would allow us, amongst other
things, to build better package-signing tools for developers, and make
continuous release of packages as smooth as possible.

Before we go any further, though, we would like your thoughts on the
matter. Should we modify the PyPI server ourselves? Or should we
wait for Warehouse instead? We want to work together with the DistUtils
SIG community on all of this, and would appreciate any feedback and
thoughts you have for us. What would you like to see from us?

Thanks,
The TUF Team




More information about the Distutils-SIG mailing list