On Thu, Mar 14, 2013 at 7:13 AM, Justin Cappos <jcap...@poly.edu> wrote: > Maybe a different way to say it is that the current TUF integration doc > assumes that it is desirable to make minimal change to PyPI's layout and > pip, easy_install, etc. while adding security. We made several choices > based upon this assumption, including using and retaining the /simple dir.
I think what you're proposing now is a pretty good place to state (although I'm suggesting making it even simpler in the near term by starting by focusing on the PyPI->end user link, and then moving to delegating signing of the per-project metadata to the individual projects as a later step) > If the community wants a more 'clean-slate' design, we could put that > together also. This requires a lot of information specific to your setup > and use cases so we'd appreciate collaboration with you guys to write that > up. I'd like to do a "distribution 2.0" at some point where we make the simple index redundant by including that info (and more) directly in the TUF metadata, but I think that's a "later" project - securing what we have now is a better place to start. Cheers, Nick. > > Thanks, > Justin > > > On Thu, Mar 14, 2013 at 8:14 AM, Trishank Karthik Kuppusamy > <t...@students.poly.edu> wrote: >> >> On 3/14/13 4:58 AM, holger krekel wrote: >>> >>> >>> I haven't followed the latest TUF discussions and related docs in >>> depths yet but if those developments will regard "simple/" as a >>> deprecated >>> interface, i think this PEP here should maybe not introduce >>> "simple/-with-externals" as it will just make the situation more >>> complicated for everyone to understand in a few months from now. >> >> >> I haven't yet followed your PEP in as much depth as I would like, but I >> wish to assure you that we do not regard "/simple/" as a deprecated >> interface. In fact, we aim to preserve backwards-compatibility as much as >> possible! :) >> >> >> _______________________________________________ >> Catalog-SIG mailing list >> Catalog-SIG@python.org >> http://mail.python.org/mailman/listinfo/catalog-sig > > > > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG@python.org > http://mail.python.org/mailman/listinfo/catalog-sig > -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig