[Distutils] [tuf] Testing pip security without and with TUF
Donald Stufft
donald at stufft.io
Sun Sep 22 03:09:01 CEST 2013
On Sep 21, 2013, at 8:47 PM, Vladimir Diaz <vladimir.v.diaz at gmail.com> wrote:
> What about a precompiled Python extension? Bundling wheels?
The problem is when pip has a dependency on something and someone accidentally uninstalls that dependency it leaves pip in a broken state. Additionally pip uses itself to bootstrap itself so any extra dependency is something else the user has to install prior to bootstrapping pip. Dependencies can be "inlined" inside of pip to work around this issue.
Then we come to the compiled code problem. Pip currently should work on any Python interpreter and not just CPython. PyPy for instance does not support the C API very well and there's a good chance that using C code without using something like CFFI, however using something like CFFI breaks the first rule. Adding C code into the pip repository also has some other problems related to Windows installation.
Does TUF require the use of RSA? I've never found a pure Python RSA implementation that I would personally trust. It's one of the major reasons when I was planning out some ideas for a signing system my plan was to use ed25519 (http://ed25519.cr.yp.to/). It's a fast deterministic signature scheme that has a pure python implementation (~100 lines of code) written by DJB. Additionally the public keys are very small (32 bytes). Additionally there's lib sodium (which I've wrapped in PyNaCl) which implements ed25519 in high performance C code (which PyNaCl makes available in Python).
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130921/e0af0e2a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130921/e0af0e2a/attachment.sig>
More information about the Distutils-SIG
mailing list