| | 1 | == Secure Updates Evaluation == |
| | 2 | |
| | 3 | Version evaluated was downloaded with Mercurial instructions from https://www.updateframework.com/wiki/Download. |
| | 4 | {{{ |
| | 5 | hg clone https://www.updateframework.com/hg/tuf/ |
| | 6 | }}} |
| | 7 | The Update Framework (TUF) changeset version for downloaded is 11. |
| | 8 | |
| | 9 | The [https://www.updateframework.com TUF] page provided pointers to an |
| | 10 | example [http://pypi.updateframework.com:81/ PyPI] repository mirror that |
| | 11 | includes TUF metadata. The [https://www.updateframework.com TUF] page also |
| | 12 | includes an attachment for an example |
| | 13 | [https://www.updateframework.com/attachment/wiki/SecuringPythonPackageManagement/tuf_pypi_example.tar.gz TUF PyPI client]. |
| | 14 | |
| | 15 | Time Frame: This evaluation took place on June 30, 2010. |
| | 16 | |
| | 17 | == Secure Updates Findings == |
| | 18 | Instruction were clear and straight forward, and are found at the |
| | 19 | [https://www.updateframework.com/wiki/SecuringPythonPackageManagement TUF: The Update Framework] site. |
| | 20 | The enclosed README give a pointer to the TUF site. |
| | 21 | |
| | 22 | The example [http://pypi.updateframework.com:81/ PyPI repository mirror] was used to execute the run-time |
| | 23 | commands, no repository was set up for this evaluation. |
| | 24 | |
| | 25 | One python path problem was encountered while trying to use the client which was resolved by unpacking the |
| | 26 | client first and then getting TUF in the same directory. This is capture in the section below. |
| | 27 | |
| | 28 | |
| | 29 | == Secure Updates How-to == |
| | 30 | |
| | 31 | Trying to use the client ran into python path issues which were resolved |
| | 32 | by unpacking the client first and then getting TUF in the same directory: |
| | 33 | {{{ |
| | 34 | lnevers@sendaria:~$ tar xvzf tuf_pypi_example.tar.gz |
| | 35 | lnevers@sendaria:~$ cd tuf_pypi_example |
| | 36 | lnevers@sendaria:~/tuf_pypi_example$ hg clone https://www.updateframework.com/hg/tuf/ |
| | 37 | }}} |
| | 38 | |
| | 39 | Once the tuf repo is inside the tuf_pypi_example directory, one can get listings of packages |
| | 40 | {{{ |
| | 41 | lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py list 3to2 |
| | 42 | [2010-06-30 11:15:02,519] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt |
| | 43 | 3to2-0.1a2.tar.gz |
| | 44 | 3to2-0.1a3.tar.gz |
| | 45 | }}} |
| | 46 | and download a package |
| | 47 | {{{ |
| | 48 | lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py download 3to2-0.1a3.tar.gz |
| | 49 | [2010-06-30 11:15:40,094] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt |
| | 50 | [2010-06-30 11:15:40,329] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/targets/3to2/3to2-0.1a3.tar.gz |
| | 51 | [2010-06-30 11:15:40,927] [tuf] [INFO] Correct hash: d48d764e781597644e8d41a83954cb62354c07d2c74abdd7e32e4d119d764636 |
| | 52 | Downloaded file: 3to2-0.1a3.tar.gz |
| | 53 | }}} |
| | 54 | |
| | 55 | Here is an example of a package without any updates: |
| | 56 | |
| | 57 | {{{ |
| | 58 | lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py list neveredit |
| | 59 | [2010-06-30 11:20:20,567] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt |
| | 60 | [2010-06-30 11:20:20,822] [tuf] [INFO] Metadata 'targets/n.txt' has changed |
| | 61 | [2010-06-30 11:20:20,822] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/targets/n.txt |
| | 62 | [2010-06-30 11:20:21,578] [tuf] [INFO] Metadata 'targets/n/neveredit.txt' has changed |
| | 63 | [2010-06-30 11:20:21,578] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/targets/n/neveredit.txt |
| | 64 | No files are available for package neveredit |
| | 65 | }}} |
