Il giorno 22/feb/2013, alle ore 17:42, Justin Cappos <[email protected]> ha scritto:
> Okay, I took a quick look and posted a bunch of comments in the document. I > took a more thorough look at the early sections than the later. > > You've done a nice job with the design overall and clearly thought through a > lot of security issues. I did point several places where I either don't > understand something or there might be a potential to improve the security. Thanks. I've replied to your comments. > After reading the doc, I'm not clear on how mirrors / CDNs / separate file > servers will be used in the system and what sort of trust you are placing in > them. In particular, much of the text about PyPI may or may not apply to > mirrors. These are a major headache from a security standpoint and something > we've really tried to minimize in TUF. I think the current PyPI mirror can be highly simplified once we introduce end-to-end authenticity with GPG. My suggestion would be to make them simple file servers, or even drop them and switch to commercial CDN, that would simplify lots of management. What we should drop is the concept of a full mirror, as it creates lots of security headaches as you say. I think the PSF board is open to a proposal to set up a budget for this. > I've also thought more about how TUF would address the issues you've > mentioned. I believe TUF addressed the concerns mentioned in the doc (except > of course things like password storage which are PyPI website changes). We > also all of the proposed future enhancements mentioned at the end of the > document. I think TUF is a large superset of what I proposed, that means that it is also a large superset of what it is (likely) needed. I'm still worried of how we can simplify TUF from an UX and IT perspective. I think that I need some inputs from you. Can you please write down something that describes: 1) What is exactly expected from a package maintainer to do to: 1a) register themselves as package maintainers on PyPI 1b) sign/publish a new package 1c) hide/show a package version 2) What modifications are required on the PyPI server? How many GPG keys the server would need to handle? Would they be online or offline? What processes do we need to setup? I would expect such document to describe also required changes to distutils and PyPI protocols, if required. > I must confess I'm still digging out after my deadline, so my responses may > be delayed. There is no specific hurry, though I would like these issues to be sorted out. I'm happy to integrate TUF if it's the best solution, but we need to discuss how. -- Giovanni Bajo :: [email protected] Develer S.r.l. :: http://www.develer.com My Blog: http://giovanni.bajo.it
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
