
meejah:
carlo von lynX <lynX@time.to.get.psyced.org> writes:
The README sounds good, but it being implemented in python adds quite a heavy additional dependency.
My understanding is that TUF is two things: a spec, and a reference implementation (in Python). I'm sure other implementations would be welcome -- and, e.g., Docker Notary is such an implementation (in Go) as I understand it.
I've read up on TUF for F-Droid. Its a good discussion of the issues, but the TUF software itself is only really applicable in a narrow range of situations. For example, its in Python, so that's a no-go for Android or iOS, and somewhat difficult on Windows. I've always treated TUF as a nice overview of the issues. F-Droid has long implemented most of it, and now we are implementing the remaining key bits, and a couple of parts just seem like vastly too much effort in the short or medium term, versus the actual risk. .hc -- PGP fingerprint: EE66 20C7 136B 0D2C 456C 0A4D E9E2 8DEA 00AA 5556 https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556