== Secure Updates Evaluation ==

Version evaluated was downloaded with Mercurial instructions from https://www.updateframework.com/wiki/Download.  
{{{
hg clone https://www.updateframework.com/hg/tuf/
}}}
The Update Framework (TUF) changeset version for downloaded is 11.

The [https://www.updateframework.com TUF] page provided pointers to an 
example [http://pypi.updateframework.com:81/ PyPI] repository mirror that 
includes TUF metadata. The [https://www.updateframework.com TUF] page also 
includes an attachment for an example 
[https://www.updateframework.com/attachment/wiki/SecuringPythonPackageManagement/tuf_pypi_example.tar.gz TUF PyPI client].

Time Frame: This evaluation took place on June 30, 2010.

== Secure Updates Findings ==
Instruction were clear and straight forward, and are found at the
[https://www.updateframework.com/wiki/SecuringPythonPackageManagement TUF: The Update Framework] site.
The enclosed README give a pointer to the TUF site.

The example [http://pypi.updateframework.com:81/ PyPI repository mirror] was used to execute the run-time  
commands, no repository was set up for this evaluation.

One python path problem was encountered while trying to use the client which was resolved by unpacking the 
client first and then getting TUF in the same directory. This is capture in the section below. 
 

== Secure Updates How-to ==

Trying to use the client ran into python path issues which were resolved
by unpacking the client first and then getting TUF in the same directory:
{{{
lnevers@sendaria:~$ tar xvzf tuf_pypi_example.tar.gz
lnevers@sendaria:~$ cd tuf_pypi_example
lnevers@sendaria:~/tuf_pypi_example$ hg clone https://www.updateframework.com/hg/tuf/
}}}

Once the tuf repo is inside the tuf_pypi_example directory, one can get listings of packages
{{{
lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py list 3to2
[2010-06-30 11:15:02,519] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt
3to2-0.1a2.tar.gz
3to2-0.1a3.tar.gz
}}}
and download a package
{{{
lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py download 3to2-0.1a3.tar.gz   
[2010-06-30 11:15:40,094] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt
[2010-06-30 11:15:40,329] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/targets/3to2/3to2-0.1a3.tar.gz
[2010-06-30 11:15:40,927] [tuf] [INFO] Correct hash: d48d764e781597644e8d41a83954cb62354c07d2c74abdd7e32e4d119d764636
Downloaded file: 3to2-0.1a3.tar.gz
}}}

Here is an example of a package without any updates:

{{{
lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py list neveredit
[2010-06-30 11:20:20,567] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt
[2010-06-30 11:20:20,822] [tuf] [INFO] Metadata 'targets/n.txt' has changed
[2010-06-30 11:20:20,822] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/targets/n.txt
[2010-06-30 11:20:21,578] [tuf] [INFO] Metadata 'targets/n/neveredit.txt' has changed
[2010-06-30 11:20:21,578] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/targets/n/neveredit.txt
No files are available for package neveredit
}}}