| 1 | == Secure Updates Evaluation == |
| 2 | |
| 3 | Version evaluated was downloaded with Mercurial instructions from https://www.updateframework.com/wiki/Download. |
| 4 | {{{ |
| 5 | hg clone https://www.updateframework.com/hg/tuf/ |
| 6 | }}} |
| 7 | The Update Framework (TUF) changeset version for downloaded is 11. |
| 8 | |
| 9 | The [https://www.updateframework.com TUF] page provided pointers to an |
| 10 | example [http://pypi.updateframework.com:81/ PyPI] repository mirror that |
| 11 | includes TUF metadata. The [https://www.updateframework.com TUF] page also |
| 12 | includes an attachment for an example |
| 13 | [https://www.updateframework.com/attachment/wiki/SecuringPythonPackageManagement/tuf_pypi_example.tar.gz TUF PyPI client]. |
| 14 | |
| 15 | Time Frame: This evaluation took place on June 30, 2010. |
| 16 | |
| 17 | == Secure Updates Findings == |
| 18 | Instruction were clear and straight forward, and are found at the |
| 19 | [https://www.updateframework.com/wiki/SecuringPythonPackageManagement TUF: The Update Framework] site. |
| 20 | The enclosed README give a pointer to the TUF site. |
| 21 | |
| 22 | The example [http://pypi.updateframework.com:81/ PyPI repository mirror] was used to execute the run-time |
| 23 | commands, no repository was set up for this evaluation. |
| 24 | |
| 25 | One python path problem was encountered while trying to use the client which was resolved by unpacking the |
| 26 | client first and then getting TUF in the same directory. This is capture in the section below. |
| 27 | |
| 28 | |
| 29 | == Secure Updates How-to == |
| 30 | |
| 31 | Trying to use the client ran into python path issues which were resolved |
| 32 | by unpacking the client first and then getting TUF in the same directory: |
| 33 | {{{ |
| 34 | lnevers@sendaria:~$ tar xvzf tuf_pypi_example.tar.gz |
| 35 | lnevers@sendaria:~$ cd tuf_pypi_example |
| 36 | lnevers@sendaria:~/tuf_pypi_example$ hg clone https://www.updateframework.com/hg/tuf/ |
| 37 | }}} |
| 38 | |
| 39 | Once the tuf repo is inside the tuf_pypi_example directory, one can get listings of packages |
| 40 | {{{ |
| 41 | lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py list 3to2 |
| 42 | [2010-06-30 11:15:02,519] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt |
| 43 | 3to2-0.1a2.tar.gz |
| 44 | 3to2-0.1a3.tar.gz |
| 45 | }}} |
| 46 | and download a package |
| 47 | {{{ |
| 48 | lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py download 3to2-0.1a3.tar.gz |
| 49 | [2010-06-30 11:15:40,094] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt |
| 50 | [2010-06-30 11:15:40,329] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/targets/3to2/3to2-0.1a3.tar.gz |
| 51 | [2010-06-30 11:15:40,927] [tuf] [INFO] Correct hash: d48d764e781597644e8d41a83954cb62354c07d2c74abdd7e32e4d119d764636 |
| 52 | Downloaded file: 3to2-0.1a3.tar.gz |
| 53 | }}} |
| 54 | |
| 55 | Here is an example of a package without any updates: |
| 56 | |
| 57 | {{{ |
| 58 | lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py list neveredit |
| 59 | [2010-06-30 11:20:20,567] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt |
| 60 | [2010-06-30 11:20:20,822] [tuf] [INFO] Metadata 'targets/n.txt' has changed |
| 61 | [2010-06-30 11:20:20,822] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/targets/n.txt |
| 62 | [2010-06-30 11:20:21,578] [tuf] [INFO] Metadata 'targets/n/neveredit.txt' has changed |
| 63 | [2010-06-30 11:20:21,578] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/targets/n/neveredit.txt |
| 64 | No files are available for package neveredit |
| 65 | }}} |