Hello Holger, On 07/31/2013 08:13 AM, holger krekel wrote:
thanks for the high level overview. Do you have a current web page with more detailed technical info with respect to PyPI/TUF?
Good question! I think it is a good idea to put up a "PyPI+pip+TUF current status" page on our web site, but in the meantime, here are a few links which should point you in the right direction:
1. pip+TUF: we use the interposition technique [https://github.com/theupdateframework/tuf/tree/master/tuf/interposition] to minimally modify pip [https://github.com/theupdateframework/pip/compare/tuf] to talk to a TUF-secured PyPI mirror.
2. PyPI+TUF: we use automation to build a testbed for investigating different key management and metadata schemes to secure PyPI [https://github.com/theupdateframework/pypi.updateframework.com]. (Note: at the time of writing, the automation is slightly out-of-date with our work-in-progress.)
3. These two links should give you a good picture, but they will not give you a complete one. We will formally write about what we mean with our upcoming key management as well as metadata generation and download scheme. Let me start a document and get back to you on that.
Thanks, Trishank _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
