[Distutils] Realistic PyPI, pip and TUF demo
Trishank Karthik Kuppusamy
tk47 at students.poly.edu
Thu Aug 15 05:57:18 CEST 2013
Hello everyone,
We now have a demonstration of pip that securely and efficiently
downloads with TUF any package from a PyPI mirror:
https://github.com/theupdateframework/pip/wiki/pip-over-TUF
We hope that you will try our demonstration with your favourite packages
and tell us about any issue that you find.
TUF does not yet work on Microsoft Windows and Apple OS X. This is
because it depends for cryptography on a custom Python library (evpy)
which binds with OpenSSL. We are planning to fix this by moving to the
cross-platform Mozilla Network Security Services (NSS) library.
We also welcome your thoughts on features and enhancements that you
would like to see.
Our next demo will show security flaws in package managers such as pip
that do not use TUF. We will then see how pip with TUF addresses those
security attacks.
-The TUF team
More information about the Distutils-SIG
mailing list