On Wed, Apr 11, 2018 at 10:30 PM, Sumana Harihareswara <s...@changeset.nyc> wrote:
> Today, LWN published my new article "A new package index for Python". > https://lwn.net/Articles/751458/ In it, I discuss security, policy, UX > and developer experience changes in the 15+ years since PyPI's founding, > new features (and deprecated old features) in Warehouse, and future > plans. Plus: screenshots! > > If you aren't already an LWN subscriber, you can use this subscriber > link for the next week to read the article despite the LWN paywall. > https://lwn.net/SubscriberLink/751458/81b2759e7025d6b9/ Thanks for the summary, and all your hard work, Sumana :) Happy to see this bit about TUF in future horizons: Warehouse's signature handling demonstrates a shift in Python's thinking > regarding key management and package signatures. Ideally, package users, > software distributors, and package distribution tools would regularly use > signatures to verify Python package integrity. For the most part, however, > they don't, and there are major infrastructural barriers to them > effectively doing so. Therefore, GPG/PGP signatures for packages are no > longer visible in PyPI's web interface. Project maintainers can still > attach signatures to their release uploads, and those signatures still > appear in the Simple Project API as described in PEP 503. Stufft has made > no secret of his opinion that "package signing is not the Holy Grail"; > current discussion among packaging-tools developers leans toward removing > signing features from another part of the Python packaging ecology (the > wheel library) and working toward implementing The Update Framework > instead. Relatedly, Warehouse, unlike legacy PyPI, does not provide an > interface for users to manage GPG or SSH public keys. We would love to help with this efforts any way we can. -- curl https://keybase.io/trishankdatadog/pgp_keys.asc | gpg --import
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
