[Distutils] TUF, Warehouse, Pip, PyPA, ld-signatures, ed25519
Trishank Kuppusamy
trishank.kuppusamy at datadoghq.com
Thu Mar 22 18:18:05 EDT 2018
On Thu, Mar 22, 2018 at 6:15 PM, Justin Cappos <jcappos at nyu.edu> wrote:
>
>
>> Warehouse is already a SPOF.
>> That's a hefty responsibility that contributions should support.
>>
>
> Warehouse doesn't need to be a SPOF. A compromise of the Warehouse server
> (and all keys on it) need not allow an attacker to compromise many users.
> The details are in the Diplomat
> <https://www.usenix.org/conference/nsdi16/technical-sessions/presentation/kuppusamy>
> paper, but the gist is that you can have some rarely used, offline keys
> that are stored by folks like Donald, etc. and a quorum of those trusted
> users would need to be malicious to cause substantial harm to users.
>
> However, you can have whatever trust / key distribution / storage model
> makes sense. TUF doesn't force you to use some pre-ordained model. It has
> flexibility to support a variety of workflows, including many with good
> security properties.
>
> Would [offline] package mirrors and the CDN still work for/with TUF keys?
>>
>
> Yes, this works just fine. CDNs / mirrors do not change in any way.
>
+1
(I'm logging off work for today, but happy to discuss more tomorrow)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20180322/ebfc5c8e/attachment.html>
More information about the Distutils-SIG
mailing list