Git Product home page Git Product logo

pep-on-pypi-with-tuf's People

Contributors

dachshund avatar justincappos avatar lvigdor avatar trishankkarthik avatar vladimir-v-diaz avatar

Stargazers

avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

justincappos pombredanne

pep-on-pypi-with-tuf's Issues

Comparison with consistent filesystem snapshots needs work

Use cases like the one in this PEP (where a consistent view of a changing filesystem are needed) are exactly why storage technologies like "LVM snapshots" exist: http://www.tldp.org/HOWTO/LVM-HOWTO/snapshots_backup.html

This means the PEP needs to make a much stronger case for why it proposes to reinvent snapshot creation at the web application layer rather than simply requiring the use of an appropriate storage layer (like LVM) that supports fast and cheap volume snapshots.

Hash collisions should be reported

Currently, we recommend that hash collisions can somehow be automatically handled. Since cryptographic hash algorithms should make hash collisions extremely unlikely, it is safer and acceptable to simply require the server to report an error.

Duplicate keys when re-signing a repository

Currently, a repository re-signed with the same key duplicates the key in root.txt & targets.txt. The tools should detect if the key is the same when signing and simply update the file instead of adding the duplicate key.

Fix typo

In this section:

"Although the merge cost may be amortized over time, this scheme is not conceptually si"

..."si" what, man? Don't leave us hanging there!

Keep the unclaimed role keys offline

As @JustinCappos observed, the unclaimed role keys may as well be offline (but the keys to the delegated unclaimed bin roles will still be online). There is no real security difference (because attackers who compromise the repository can still mess with the delegated unclaimed bin roles), but there is no harm in keeping it offline (at least the attackers cannot add, update or remove a delegated unclaimed bin role).

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.