[Distutils] TUF, Warehouse, Pip, PyPA, ld-signatures, ed25519
trishank.kuppusamy at datadoghq.com
Thu Mar 22 18:18:05 EDT 2018
On Thu, Mar 22, 2018 at 6:15 PM, Justin Cappos <jcappos at nyu.edu> wrote:
>> Warehouse is already a SPOF.
>> That's a hefty responsibility that contributions should support.
> Warehouse doesn't need to be a SPOF. A compromise of the Warehouse server
> (and all keys on it) need not allow an attacker to compromise many users.
> The details are in the Diplomat
> paper, but the gist is that you can have some rarely used, offline keys
> that are stored by folks like Donald, etc. and a quorum of those trusted
> users would need to be malicious to cause substantial harm to users.
> However, you can have whatever trust / key distribution / storage model
> makes sense. TUF doesn't force you to use some pre-ordained model. It has
> flexibility to support a variety of workflows, including many with good
> security properties.
> Would [offline] package mirrors and the CDN still work for/with TUF keys?
> Yes, this works just fine. CDNs / mirrors do not change in any way.
(I'm logging off work for today, but happy to discuss more tomorrow)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Distutils-SIG