[Distutils] [tuf] Testing pip security without and with TUF

Donald Stufft donald at stufft.io
Sat Sep 21 23:54:46 CEST 2013

Couple questions inline

On Sep 21, 2013, at 5:14 PM, Trishank Karthik Kuppusamy <tk47 at students.poly.edu> wrote:

> Hello everyone,
> Recently, we tested how pip would respond, without and with TUF,
> to attacks on PyPI:
> https://github.com/theupdateframework/pip/wiki/Test-pip-security-without-and-with-TUF
> TUF now uses the portable PyCrypto cryptography library, though we are
> watching cryptography-dev with great interest. In our internal tests,
> pip-with-TUF works on Microsoft Windows 7-8 32/64 bit,
> Apple OS X (10.7-10.8), and Debian/Ubuntu GNU/Linux 32/64 bit.

Is it possible to do this in a pure python library? I know there are pure
python libraries for ed25119 that are written by the author so they
should be good to use.

> We also have integration tests where we show TUF protecting against other
> kinds of attacks:
> https://github.com/theupdateframework/tuf/tree/develop/tests/integration
> Previously, we demonstrated that we could efficiently secure PyPI with
> TUF metadata:
> https://mail.python.org/pipermail/distutils-sig/2013-August/022276.html
> *** We need your guidance here! ***
> Our next step is to integrate TUF with the PyPI server itself to see how
> everything would work in production. This would allow us, amongst other
> things, to build better package-signing tools for developers, and make
> continuous release of packages as smooth as possible.
> Before we go any further, though, we would like your thoughts on the
> matter. Should we modify the PyPI server ourselves? Or should we
> wait for Warehouse instead? We want to work together with the DistUtils
> SIG community on all of this, and would appreciate any feedback and
> thoughts you have for us. What would you like to see from us?

What does an integration look like? What time frame are you looking at
completing this? Warehouse is where the future of PyPI is and I'm loathe
to add much else to the old code base, but Warehouse is very incomplete
at the moment.

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130921/7f6c456f/attachment.sig>

More information about the Distutils-SIG mailing list