[Distutils] TUF, Warehouse, Pip, PyPA, ld-signatures, ed25519

Trishank Kuppusamy trishank.kuppusamy at datadoghq.com
Thu Mar 22 18:18:05 EDT 2018

On Thu, Mar 22, 2018 at 6:15 PM, Justin Cappos <jcappos at nyu.edu> wrote:

>> Warehouse is already a SPOF.
>> That's a hefty responsibility that contributions should support.
> Warehouse doesn't need to be a SPOF.  A compromise of the Warehouse server
> (and all keys on it) need not allow an attacker to compromise many users.
> The details are in the Diplomat
> <https://www.usenix.org/conference/nsdi16/technical-sessions/presentation/kuppusamy>
>  paper, but the gist is that you can have some rarely used, offline keys
> that are stored by folks like Donald, etc. and a quorum of those trusted
> users would need to be malicious to cause substantial harm to users.
> However, you can have whatever trust / key distribution / storage model
> makes sense.  TUF doesn't force you to use some pre-ordained model.  It has
> flexibility to support a variety of workflows, including many with good
> security properties.
> Would [offline] package mirrors and the CDN still work for/with TUF keys?
> Yes, this works just fine.  CDNs / mirrors do not change in any way.


(I'm logging off work for today, but happy to discuss more tomorrow)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20180322/ebfc5c8e/attachment.html>

More information about the Distutils-SIG mailing list