>From "TUF, Warehouse, Pip, PyPA, ld-signatures, ed25519"

https://mail.python.org/pipermail/distutils-sig/2018-March/032081.html :

> Are there pypa/warehouse github issues for implementing the TUF trust
root support in warehouse; and client support in pip (or a module that pip
and other tools can use)?

Read and review these PEPs:

"PEP 458 -- Surviving a Compromise of PyPI"

"PEP 480 -- Surviving a Compromise of PyPI: The Maximum Security Model"

On Thursday, April 12, 2018, Trishank Kuppusamy <
trishank.kuppus...@datadoghq.com> wrote:

> On Wed, Apr 11, 2018 at 10:30 PM, Sumana Harihareswara <s...@changeset.nyc>
> wrote:
>> Today, LWN published my new article "A new package index for Python".
>> https://lwn.net/Articles/751458/ In it, I discuss security, policy, UX
>> and developer experience changes in the 15+ years since PyPI's founding,
>> new features (and deprecated old features) in Warehouse, and future
>> plans. Plus: screenshots!
>> If you aren't already an LWN subscriber, you can use this subscriber
>> link for the next week to read the article despite the LWN paywall.
>> https://lwn.net/SubscriberLink/751458/81b2759e7025d6b9/
> Thanks for the summary, and all your hard work, Sumana :)
> Happy to see this bit about TUF in future horizons:
> Warehouse's signature handling demonstrates a shift in Python's thinking
>> regarding key management and package signatures. Ideally, package users,
>> software distributors, and package distribution tools would regularly use
>> signatures to verify Python package integrity. For the most part, however,
>> they don't, and there are major infrastructural barriers to them
>> effectively doing so. Therefore, GPG/PGP signatures for packages are no
>> longer visible in PyPI's web interface. Project maintainers can still
>> attach signatures to their release uploads, and those signatures still
>> appear in the Simple Project API as described in PEP 503. Stufft has made
>> no secret of his opinion that "package signing is not the Holy Grail";
>> current discussion among packaging-tools developers leans toward removing
>> signing features from another part of the Python packaging ecology (the
>> wheel library) and working toward implementing The Update Framework
>> instead. Relatedly, Warehouse, unlike legacy PyPI, does not provide an
>> interface for users to manage GPG or SSH public keys.
>  We would love to help with this efforts any way we can.
> --
> curl https://keybase.io/trishankdatadog/pgp_keys.asc | gpg --import
Distutils-SIG maillist  -  Distutils-SIG@python.org

Reply via email to