[Distutils] The Update Framework, integrate into PyPI?
Nathaniel Smith
njs at pobox.com
Wed Nov 4 15:25:30 EST 2015
Hi Thomas,
It's great you're so enthusiastic about python packaging and distribution,
but it might be good to keep in mind that there are a lot of people reading
these lists, and answering basic questions can take time away from making
important improvements?
In this case, a quick google of "the update framework" or skimming of the
referenced PEP 458 would have revealed that TUF is totally orthogonal to
the kinds of updates that you're worried about -- it's about building a
cryptographic framework to let you reliably identify what the latest
version of some software is, even if e.g. someone has broken into pypi and
tried to add backdoors to the software there, which is important no matter
what strategy you then use to deploy those updates. In fact possibly the
largest deployment of TUF is the version built into docker's latest
release, to help you securely pick a good base image.
-n
On Nov 4, 2015 12:06 PM, "Thomas Güttler" <guettliml at thomas-guettler.de>
wrote:
> I read the RoadMap (Thank you Marcus Smith) and came across this:
>
> > An effort to integrate PyPI with the “The Update Framework” (TUF). This
> is specified in PEP458
>
> I see a trend to immutable systems everywhere. Updates are a pain. Building
> new systems is easier. With current hardware and good software it is easier
> to build new systems instead of updating existing systems.
>
> It is like from pets to cattle:
>
> - pets: you give them names and care for them (do updates)
> - cattle: you give them numbers and if they get ill you get rid of them.
>
> Maybe I am missing something. But why is there an
> effort to create "The Update Framework”, and why integrate
> it with pypi?
>
> Regards,
> Thomas Güttler
>
> --
> http://www.thomas-guettler.de/
> _______________________________________________
> Distutils-SIG maillist - Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20151104/50c6d829/attachment.html>
More information about the Distutils-SIG
mailing list