[Distutils] [tuf] Testing pip security without and with TUF

[Vladimir Diaz]

On Sat, Sep 21, 2013 at 6:17 PM, Donald Stufft <donald at stufft.io> wrote:

>
> On Sep 21, 2013, at 6:12 PM, Trishank Karthik Kuppusamy <
> tk47 at students.poly.edu> wrote:
>
> > Hello Donald,
> >
> > On 09/21/2013 05:54 PM, Donald Stufft wrote:
> >>
> >> Is it possible to do this in a pure python library? I know there are
> pure
> >> python libraries for ed25119 that are written by the author so they
> >> should be good to use.
> >>
> >
> > It should be possible to do in pure Python all the cryptography that TUF
> needs. The performance may not be so good with sufficiently large RSA keys,
> but I think that is a bottleneck only when creating those keys and signing
> metadata with those keys. Verifying signatures created by those keys should
> be cheap enough, and that is how most people would use TUF (for reading,
> not writing). Vlad, what do you think?
>
> Ok good, as long as what someone installing a package needs done can be
> done in pure python that's fine. Pip can't have dependencies in the
> traditional sense so everything needs to be embeddable and pure python. An
> optional C module for speed ups is fine.
>

What about a precompiled Python extension?  Bundling wheels?


> Packaging tools on the other hand IMO can require compiled code.
>
> >
> >>>
> >>> Before we go any further, though, we would like your thoughts on the
> >>> matter. Should we modify the PyPI server ourselves? Or should we
> >>> wait for Warehouse instead? We want to work together with the DistUtils
> >>> SIG community on all of this, and would appreciate any feedback and
> >>> thoughts you have for us. What would you like to see from us?
> >>
> >> What does an integration look like? What time frame are you looking at
> >> completing this? Warehouse is where the future of PyPI is and I'm loathe
> >> to add much else to the old code base, but Warehouse is very incomplete
> >> at the moment.
> >>
> >
> > By an integration, we mean this scenario: developers will be able to
> register their package-signing keys with PyPI (by uploading their public
> keys), and sign for package metadata themselves with their private keys.
> Among other things, the PyPI server will also have to change a bit to
> generate some TUF metadata itself.
> >
> > I think it would make the most sense for us to figure out how to
> integrate TUF with Warehouse since that is the future of PyPI. Is now a
> good time for us to discuss how to do that? What is your timeframe for
> Warehouse?
>
> Right now i'm porting over database tables to be "owned" by Warehouse
> (Warehouse and legacy PyPI run in tandem). After that i'll be working on
> porting the existing API. I'm hoping to have something that people can
> install from to test in a month or two.
>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
> DCFA
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130921/67c2ef65/attachment-0001.html>