[Distutils] [tuf] Testing pip security without and with TUF

Donald Stufft donald at stufft.io
Sun Sep 22 00:17:34 CEST 2013 

On Sep 21, 2013, at 6:12 PM, Trishank Karthik Kuppusamy <tk47 at students.poly.edu> wrote:

> Hello Donald,
> 
> On 09/21/2013 05:54 PM, Donald Stufft wrote:
>> 
>> Is it possible to do this in a pure python library? I know there are pure
>> python libraries for ed25119 that are written by the author so they
>> should be good to use.
>> 
> 
> It should be possible to do in pure Python all the cryptography that TUF needs. The performance may not be so good with sufficiently large RSA keys, but I think that is a bottleneck only when creating those keys and signing metadata with those keys. Verifying signatures created by those keys should be cheap enough, and that is how most people would use TUF (for reading, not writing). Vlad, what do you think?

Ok good, as long as what someone installing a package needs done can be done in pure python that's fine. Pip can't have dependencies in the traditional sense so everything needs to be embeddable and pure python. An optional C module for speed ups is fine.

Packaging tools on the other hand IMO can require compiled code.

> 
>>> 
>>> Before we go any further, though, we would like your thoughts on the
>>> matter. Should we modify the PyPI server ourselves? Or should we
>>> wait for Warehouse instead? We want to work together with the DistUtils
>>> SIG community on all of this, and would appreciate any feedback and
>>> thoughts you have for us. What would you like to see from us?
>> 
>> What does an integration look like? What time frame are you looking at
>> completing this? Warehouse is where the future of PyPI is and I'm loathe
>> to add much else to the old code base, but Warehouse is very incomplete
>> at the moment.
>> 
> 
> By an integration, we mean this scenario: developers will be able to register their package-signing keys with PyPI (by uploading their public keys), and sign for package metadata themselves with their private keys. Among other things, the PyPI server will also have to change a bit to generate some TUF metadata itself.
> 
> I think it would make the most sense for us to figure out how to integrate TUF with Warehouse since that is the future of PyPI. Is now a good time for us to discuss how to do that? What is your timeframe for Warehouse?

Right now i'm porting over database tables to be "owned" by Warehouse (Warehouse and legacy PyPI run in tandem). After that i'll be working on porting the existing API. I'm hoping to have something that people can install from to test in a month or two.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130921/fd96aacd/attachment.sig>

More information about the Distutils-SIG mailing list