Hello Donald,
On 09/21/2013 05:54 PM, Donald Stufft wrote:
Is it possible to do this in a pure python library? I know there are pure
python libraries for ed25119 that are written by the author so they
should be good to use.
It should be possible to do in pure Python all the cryptography that TUF
needs. The performance may not be so good with sufficiently large RSA
keys, but I think that is a bottleneck only when creating those keys and
signing metadata with those keys. Verifying signatures created by those
keys should be cheap enough, and that is how most people would use TUF
(for reading, not writing). Vlad, what do you think?
Before we go any further, though, we would like your thoughts on the
matter. Should we modify the PyPI server ourselves? Or should we
wait for Warehouse instead? We want to work together with the DistUtils
SIG community on all of this, and would appreciate any feedback and
thoughts you have for us. What would you like to see from us?
What does an integration look like? What time frame are you looking at
completing this? Warehouse is where the future of PyPI is and I'm loathe
to add much else to the old code base, but Warehouse is very incomplete
at the moment.
By an integration, we mean this scenario: developers will be able to
register their package-signing keys with PyPI (by uploading their public
keys), and sign for package metadata themselves with their private keys.
Among other things, the PyPI server will also have to change a bit to
generate some TUF metadata itself.
I think it would make the most sense for us to figure out how to
integrate TUF with Warehouse since that is the future of PyPI. Is now a
good time for us to discuss how to do that? What is your timeframe for
Warehouse?
Thanks,
Trishank
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig
