wiki:GIR2.1_SecureUpdates

Version 1 (modified by lnevers@bbn.com, 9 years ago) (diff)

--

Secure Updates Evaluation

Version evaluated was downloaded with Mercurial instructions from https://www.updateframework.com/wiki/Download.

hg clone https://www.updateframework.com/hg/tuf/

The Update Framework (TUF) changeset version for downloaded is 11.

The TUF page provided pointers to an example PyPI repository mirror that includes TUF metadata. The TUF page also includes an attachment for an example TUF PyPI client.

Time Frame: This evaluation took place on June 30, 2010.

Secure Updates Findings

Instruction were clear and straight forward, and are found at the TUF: The Update Framework site. The enclosed README give a pointer to the TUF site.

The example PyPI repository mirror was used to execute the run-time commands, no repository was set up for this evaluation.

One python path problem was encountered while trying to use the client which was resolved by unpacking the client first and then getting TUF in the same directory. This is capture in the section below.

Secure Updates How-to

Trying to use the client ran into python path issues which were resolved by unpacking the client first and then getting TUF in the same directory:

lnevers@sendaria:~$ tar xvzf tuf_pypi_example.tar.gz
lnevers@sendaria:~$ cd tuf_pypi_example
lnevers@sendaria:~/tuf_pypi_example$ hg clone https://www.updateframework.com/hg/tuf/

Once the tuf repo is inside the tuf_pypi_example directory, one can get listings of packages

lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py list 3to2
[2010-06-30 11:15:02,519] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt
3to2-0.1a2.tar.gz
3to2-0.1a3.tar.gz

and download a package

lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py download 3to2-0.1a3.tar.gz   
[2010-06-30 11:15:40,094] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt
[2010-06-30 11:15:40,329] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/targets/3to2/3to2-0.1a3.tar.gz
[2010-06-30 11:15:40,927] [tuf] [INFO] Correct hash: d48d764e781597644e8d41a83954cb62354c07d2c74abdd7e32e4d119d764636
Downloaded file: 3to2-0.1a3.tar.gz

Here is an example of a package without any updates:

lnevers@sendaria:~/tuf_pypi_example$ ./tuf_pypi_client.py list neveredit
[2010-06-30 11:20:20,567] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/timestamp.txt
[2010-06-30 11:20:20,822] [tuf] [INFO] Metadata 'targets/n.txt' has changed
[2010-06-30 11:20:20,822] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/targets/n.txt
[2010-06-30 11:20:21,578] [tuf] [INFO] Metadata 'targets/n/neveredit.txt' has changed
[2010-06-30 11:20:21,578] [tuf] [INFO] Downloading http://pypi.updateframework.com:81/pypi/meta/targets/n/neveredit.txt
No files are available for package neveredit