[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
Nick Coghlan
ncoghlan at gmail.com
Sun Feb 10 14:22:48 CET 2013
On Sun, Feb 10, 2013 at 10:57 PM, Jesse Noller <jnoller at gmail.com> wrote:
>> The main benefit in my mind is that it isn't a from-scratch design of
>> a secure update infrastructure. Instead, it's a project that was
>> started in order to resolve some security holes found in Tor's already
>> robust automatic update mechanism, then proceeded from there into
>> updates to yum, yast, apt, etc (i.e. the distro update mechanisms that
>> are vetted by the security teams of the various Linux vendors). The
>> fact Geremy Condra is involved in TUF also counts for a lot with me
>> (as I suspect it would for many people that have heard Geremy talk
>> about security issues in Python).
>>
> That *is* a big +1 from me; do you think we can loop him into these discussions? If you don't have his email, I do.
I've asked the TUF folks to come to the packaging & distribution
mini-summit I'm organising at PyCon US. While I think it's worth
getting the enhanced SSL infrastructure in place soon in order to
better secure the status quo, I think we can be a bit more measured in
the way we approach the creation of a secure and usable end-to-end
software distribution design.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
More information about the Catalog-SIG
mailing list