[Catalog-sig] PyPI/pip security: waiting for input
Justin Cappos
jcappos at poly.edu
Mon Mar 11 15:33:42 CET 2013
Yep, we have the doc mostly together and are finishing it up / polishing
it.
We'll have something to you soon. We have a lightning talk set up at
PyCon and will post all then at the latest. We do want to announce /
share before then though.
Justin
On Mon, Mar 11, 2013 at 10:31 AM, Giovanni Bajo <rasky at develer.com> wrote:
> Il giorno 11/mar/2013, alle ore 15:17, Justin Cappos <jcappos at poly.edu>
> ha scritto:
>
> Yes, we're finishing this up now. We have a working demo with TUF
> signing PyPI metadata and pip (integrated with TUF) correctly checking
> signatures, etc.
>
> Trishank: when do you plan to share this? Does Kon still have some
> integration tests to write to show we meet the use cases from Giovanni's
> document?
>
>
> While the code is great, I'm mainly concerned with documenting the
> workflow and making sure it matches the proposed requirements: how to
> create a key, how to revoke it, how to use an offline list of authorized
> keys for installation of packages, etc.
>
> As I mentioned before, my proposal would only take me a few days to
> prototype (repeating this in case someone thinks that my proposal requires
> millions of man hours for any reason); I held it off waiting for a
> discussion with you.
>
> Relink to my proposal:
>
> https://docs.google.com/a/develer.com/document/d/1DgQdDCZY5LiTY5mvfxVVE4MTWiaqIGccK3QCUI8np4k/edit
> --
> Giovanni Bajo :: rasky at develer.com
> Develer S.r.l. :: http://www.develer.com
>
> My Blog: http://giovanni.bajo.it
>
>
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130311/39779c15/attachment-0001.html>
More information about the Catalog-SIG
mailing list