[Distutils] TUF, Warehouse, Pip, PyPA, ld-signatures, ed25519

Justin Cappos jcappos at nyu.edu
Thu Mar 22 18:15:44 EDT 2018

> Warehouse is already a SPOF.
> That's a hefty responsibility that contributions should support.

Warehouse doesn't need to be a SPOF.  A compromise of the Warehouse server
(and all keys on it) need not allow an attacker to compromise many users.
The details are in the Diplomat
 paper, but the gist is that you can have some rarely used, offline keys
that are stored by folks like Donald, etc. and a quorum of those trusted
users would need to be malicious to cause substantial harm to users.

However, you can have whatever trust / key distribution / storage model
makes sense.  TUF doesn't force you to use some pre-ordained model.  It has
flexibility to support a variety of workflows, including many with good
security properties.

Would [offline] package mirrors and the CDN still work for/with TUF keys?

Yes, this works just fine.  CDNs / mirrors do not change in any way.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20180322/e1478ceb/attachment.html>

More information about the Distutils-SIG mailing list