[Distutils] [tuf] Testing pip security without and with TUF

Vladimir Diaz vladimir.v.diaz at gmail.com
Sun Sep 22 02:45:34 CEST 2013 

On Sat, Sep 21, 2013 at 6:12 PM, Trishank Karthik Kuppusamy <
tk47 at students.poly.edu> wrote:

> Hello Donald,
>
>
> On 09/21/2013 05:54 PM, Donald Stufft wrote:
>
>>
>> Is it possible to do this in a pure python library? I know there are pure
>> python libraries for ed25119 that are written by the author so they
>> should be good to use.
>>
>>
> It should be possible to do in pure Python all the cryptography that TUF
> needs. The performance may not be so good with sufficiently large RSA keys,
> but I think that is a bottleneck only when creating those keys and signing
> metadata with those keys. Verifying signatures created by those keys should
> be cheap enough, and that is how most people would use TUF (for reading,
> not writing). Vlad, what do you think?


According to the author the pure python implementation is very slow and
vulnerable to side-channel attacks, although we have not compared it
against the cryptography libraries we have considered.  It is also only an
elliptic-curve public key signature scheme.  We should consider, especially
if we are being restricted to pure Python, but the Python implementation
appears (IMO) to be for educational purposes.


>> Before we go any further, though, we would like your thoughts on the
>> matter. Should we modify the PyPI server ourselves? Or should we
>> wait for Warehouse instead? We want to work together with the DistUtils
>> SIG community on all of this, and would appreciate any feedback and
>> thoughts you have for us. What would you like to see from us?
>>
>
> What does an integration look like? What time frame are you looking at
> completing this? Warehouse is where the future of PyPI is and I'm loathe
> to add much else to the old code base, but Warehouse is very incomplete
> at the moment.
>
>
By an integration, we mean this scenario: developers will be able to
> register their package-signing keys with PyPI (by uploading their public
> keys), and sign for package metadata themselves with their private keys.
> Among other things, the PyPI server will also have to change a bit to
> generate some TUF metadata itself.
>
> I think it would make the most sense for us to figure out how to integrate
> TUF with Warehouse since that is the future of PyPI. Is now a good time for
> us to discuss how to do that? What is your timeframe for Warehouse?
>
> Thanks,
> Trishank
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130921/5bbf8654/attachment.html>

More information about the Distutils-SIG mailing list