[tahoe-lafs-trac-stream] [Tahoe-LAFS] #2761: self-update command
Tahoe-LAFS
trac at tahoe-lafs.org
Thu Mar 31 18:29:31 UTC 2016
#2761: self-update command
-----------------------------+-----------------------
Reporter: warner | Owner:
Type: enhancement | Status: new
Priority: normal | Milestone: undecided
Component: packaging | Version: 1.10.2
Resolution: | Keywords:
Launchpad Bug: |
-----------------------------+-----------------------
Comment (by warner):
Leif: oh, sure, that !Ed25519 signature could be implemented as a quorum
/TUF-style signature bundle, to turn that single-point-of-compromise into
a quorum-of-compromise. I think that's extra credit, though, because
almost all of the current schemes have multiple points of compromise.
(hey, that gives us a t-shirt version: "MPOC bad! SPOC better! QUOC
best!")
I think the pip folks (especially dstufft) are keen on moving in this
direction, at least partially. They've been working to add signatures to
wheel files, and per-project pubkeys to the PyPI entries.
But everything I've seen so far is one-wheel-at-a-time. I don't think
there's any support yet for whole-project hash-locked requirements.txt
-based installs. Using requirements files, and therefore hashes, must be
done manually, by downloading a requirements.txt (possibly by doing a git
checkout or unpacking a tarball), then running `pip install -r
requirements.txt`. There's no `pip install tahoe-lafs` -like thing that
will automatically fetch one for you.
So anyways, I suspect that we'd have to be a trail-breaker here. We could
prototype this in Tahoe and then help push it upstream into pip. I agree
that this wants to live somewhere larger than just Tahoe, but it's not
there yet, and ya gotta start somewhere.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/2761#comment:3>
Tahoe-LAFS <https://Tahoe-LAFS.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list