[Distutils] The software update framework
Nick Coghlan
ncoghlan at gmail.com
Tue Oct 24 08:56:44 EDT 2017
On 24 October 2017 at 20:34, Thomas Güttler <guettliml at thomas-guettler.de>
wrote:
> I stumbled over this page: https://theupdateframework.github.io/
>
For folks that haven't read them before, note that TUF is also the basis
for the SSL/TLS independent package signing proposals in PEPs 458 & 480:
* https://www.python.org/dev/peps/pep-0458/ (PyPI -> end user signing)
* https://www.python.org/dev/peps/pep-0480/ (publisher -> end user signing)
Actually pursuing that idea is contingent on our being comfortable that the
related key management activities will be on a sustainable footing, though:
http://www.curiousefficiency.org/posts/2016/09/python-packaging-ecosystem.html#making-pypi-security-independent-of-ssl-tls
Cheers,
Nick.
P.S. TUF is in the news a bit this week, as both it and the related content
signing project, Notary, were just accepted as community projects hosted by
the Cloud Native Computing Foundation:
https://thenewstack.io/cncf-brings-security-cloud-native-stack-notary-tuf-adoption/
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20171024/8857f0c2/attachment.html>
More information about the Distutils-SIG
mailing list