Package: sponsorship-requests Severity: wishlist Dear mentors, I am looking for a sponsor for my package "python-tuf" * Package name : python-tuf Version : 0.11.2.dev3-1 Upstream Author : tuf developers <theupdateframework@googlegroups.com> * URL : https://github.com/theupdateframework/tuf * License : Apache-2.0 Section : devel It builds those binary packages: python3-tuf - plug-and-play library for securing a software updater To access further information about this package, please visit the following URL: https://mentors.debian.net/package/python-tuf Alternatively, one can download the package with dget using this command: dget -x https://mentors.debian.net/debian/pool/main/p/python-tuf/python-tuf_0.11.2.dev3-1.dsc More information about python-tuf can be obtained from https://theupdateframework.com. The development of TUF has been influenced by research about package managers such as APT, see - Justin Cappos, Justin Samuel, Scott Baker, and John H. Hartman. 2008. A look in the mirror: attacks on package managers. In Proceedings of the 15th ACM conference on Computer and communications security (CCS '08). ACM, New York, NY, USA, 565-574. https://theupdateframework.github.io/papers/attacks-on-package-managers-ccs2008.pdf Although apt has since then addressed many of the vulnerabilities pointed out by above researchers, TUF's design for compromise resilience (reducing impact by separating roles, easy-to-use key revocation, etc.) may still add value to apt. TUF was presented at DebConf2017. The Q&A part of the talk includes a brief discussion about the use of TUF in apt today: https://debconf17.debconf.org/talks/153/ Adding this TUF Python implementation to Debian would pave the way for an integration into apt. Furthermore, TUF has shown to be well suited for the distribution of in-toto metadata to provide software supply chain integrity guarantees to the end user. See https://www.datadoghq.com/blog/engineering/secure-publication-of-datadog-agent-integrations-with-tuf-and-in-toto/ https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931013 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931026 Debian build instructions for the tuf package on mentors.debian.net are available in this commit message: https://github.com/theupdateframework/tuf/commit/a2532a15424fc667c4423f1795cfb7ea3399ea92 Changes since the last upload: python-tuf (0.11.2.dev3-1) unstable; urgency=low * Initial release. -- Lukas Puehringer <lukas.puehringer@nyu.edu> Thu, 27 Jun 2019 09:06:21 -0400 Regards, Lukas Pühringer -- lukas.puehringer@nyu.edu PGP fingerprint: 8BA6 9B87 D43B E294 F23E 8120 89A2 AD3C 07D9 62E8
Attachment:
signature.asc
Description: OpenPGP digital signature