[Distutils] [tuf] Testing pip security without and with TUF

Trishank Karthik Kuppusamy tk47 at students.poly.edu
Sun Sep 22 08:59:41 CEST 2013 

On 9/21/13 9:09 PM, Donald Stufft wrote:
>
> On Sep 21, 2013, at 8:47 PM, Vladimir Diaz <vladimir.v.diaz at gmail.com
> <mailto:vladimir.v.diaz at gmail.com>> wrote:
>
>> What about a precompiled Python extension?  Bundling wheels?
>
>
> The problem is when pip has a dependency on something and someone
> accidentally uninstalls that dependency it leaves pip in a broken state.
> Additionally pip uses itself to bootstrap itself so any extra dependency
> is something else the user has to install prior to bootstrapping pip.
> Dependencies can be "inlined" inside of pip to work around this issue.
>
> Then we come to the compiled code problem. Pip currently should work on
> any Python interpreter and not just CPython. PyPy for instance does not
> support the C API very well and there's a good chance that using C code
> without using something like CFFI, however using something like CFFI
> breaks the first rule. Adding C code into the pip repository also has
> some other problems related to Windows installation.
>

All very valid points, and we do not disagree.

> Does TUF require the use of RSA? I've never found a pure Python RSA
> implementation that I would personally trust. It's one of the major
> reasons when I was planning out some ideas for a signing system my plan
> was to use ed25519 (http://ed25519.cr.yp.to/). It's a fast deterministic
> signature scheme that has a pure python implementation (~100 lines of
> code) written by DJB. Additionally the public keys are very small (32
> bytes). Additionally there's lib sodium (which I've wrapped in PyNaCl)
> which implements ed25519 in high performance C code (which PyNaCl makes
> available in Python).
>

No, nothing about TUF mandates RSA. ed25519 certainly sounds 
interesting, and we will consider it when we review our cryptography. As 
you said, it is important that our "read-only" cryptography is in pure 
Python for best portability. Let us get back to you on this matter.

In the meantime, we will also get in touch with you about Warehouse.

Thanks,
Trishank

More information about the Distutils-SIG mailing list