Changes between Initial Version and Version 1 of GIR2.1_SecureUpdates


Ignore:
Timestamp:
03/14/11 21:59:17 (11 years ago)
Author:
lnevers@bbn.com
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GIR2.1_SecureUpdates

    v1 v1  
     1== Secure Updates Evaluation ==
     2
     3Version evaluated was downloaded with Mercurial instructions from https://www.updateframework.com/wiki/Download. 
     4{{{
     5hg clone https://www.updateframework.com/hg/tuf/
     6}}}
     7The Update Framework (TUF) changeset version for downloaded is 11.
     8
     9The [https://www.updateframework.com TUF] page provided pointers to an
     10example [http://pypi.updateframework.com:81/ PyPI] repository mirror that
     11includes TUF metadata. The [https://www.updateframework.com TUF] page also
     12includes an attachment for an example
     13[https://www.updateframework.com/attachment/wiki/SecuringPythonPackageManagement/tuf_pypi_example.tar.gz TUF PyPI client].
     14
     15Time Frame: This evaluation took place on June 30, 2010.
     16
     17== Secure Updates Findings ==
     18Instruction were clear and straight forward, and are found at the
     19[https://www.updateframework.com/wiki/SecuringPythonPackageManagement TUF: The Update Framework] site.
     20The enclosed README give a pointer to the TUF site.
     21
     22The example [http://pypi.updateframework.com:81/ PyPI repository mirror] was used to execute the run-time 
     23commands, no repository was set up for this evaluation.
     24
     25One python path problem was encountered while trying to use the client which was resolved by unpacking the
     26client first and then getting TUF in the same directory. This is capture in the section below.
     27 
     28
     29== Secure Updates How-to ==
     30
     31Trying to use the client ran into python path issues which were resolved
     32by unpacking the client first and then getting TUF in the same directory:
     33{{{
     34lnevers@sendaria:~$ tar xvzf tuf_pypi_example.tar.gz
     35lnevers@sendaria:~$ cd tuf_pypi_example
     36lnevers@sendaria:~/tuf_pypi_example$ hg clone https://www.updateframework.com/hg/tuf/
     37}}}
     38
     39Once the tuf repo is inside the tuf_pypi_example directory, one can get listings of packages
     40{{{
     41lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py list 3to2
     42[2010-06-30 11:15:02,519] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt
     433to2-0.1a2.tar.gz
     443to2-0.1a3.tar.gz
     45}}}
     46and download a package
     47{{{
     48lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py download 3to2-0.1a3.tar.gz   
     49[2010-06-30 11:15:40,094] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt
     50[2010-06-30 11:15:40,329] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/targets/3to2/3to2-0.1a3.tar.gz
     51[2010-06-30 11:15:40,927] [tuf] [INFO] Correct hash: d48d764e781597644e8d41a83954cb62354c07d2c74abdd7e32e4d119d764636
     52Downloaded file: 3to2-0.1a3.tar.gz
     53}}}
     54
     55Here is an example of a package without any updates:
     56
     57{{{
     58lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py list neveredit
     59[2010-06-30 11:20:20,567] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt
     60[2010-06-30 11:20:20,822] [tuf] [INFO] Metadata 'targets/n.txt' has changed
     61[2010-06-30 11:20:20,822] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/targets/n.txt
     62[2010-06-30 11:20:21,578] [tuf] [INFO] Metadata 'targets/n/neveredit.txt' has changed
     63[2010-06-30 11:20:21,578] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/targets/n/neveredit.txt
     64No files are available for package neveredit
     65}}}