PEP 458: Secure transport independent download integrity for PyPI packages
Hi, devpi folks! I figure you might want to take a look at the PyPI security PEP currently being discussed, since I could imagine devpi wanting to also add TUF metadata handling for packages, and in case there are interoperability concerns/questions. https://discuss.python.org/t/pep-458-surviving-a-compromise-of-pypi/2648/ The PEP authors are revising the proposed summary, title, etc., per https://github.com/secure-systems-lab/peps/blob/c13384a4fac6822626abb7e09ab7... : packages, and enhances compromise resilience, by mitigating key risk and providing mechanisms to recover from a compromise of PyPI or its signing keys. In addition to protecting direct users of PyPI, this PEP aims to provide similar protection for users of PyPI mirrors.
To provide compromise resilient protection of PyPI, this PEP proposes the use of The Update Framework [2]_ (TUF). .....
This PEP describes changes to the PyPI infrastructure that are needed to ensure that users get valid packages from PyPI. ...
__ https://github.com/theupdateframework/pip/wiki/Attacks-on-software-repositor... __ https://theupdateframework.github.io/security.html
Discussion should probably be directed to the Discourse thread at discuss.python.org ; this is just a heads-up. -- Sumana Harihareswara Changeset Consulting sh@changeset.nyc
On 12/20/19 8:07 PM, Sumana Harihareswara wrote:
Hi, devpi folks! I figure you might want to take a look at the PyPI security PEP currently being discussed, since I could imagine devpi wanting to also add TUF metadata handling for packages, and in case there are interoperability concerns/questions.
https://discuss.python.org/t/pep-458-surviving-a-compromise-of-pypi/2648/
It looks like discussion about the actual meat and potatoes of this PEP has petered out. Unless someone has an objection, I intend to accept
The revised PEP 458 is at https://www.python.org/dev/peps/pep-0458/ as "PEP 458 -- Secure PyPI downloads with package signing." Discussion has been proceeding on Discourse. BDFL-Delegate Donald Stufft wrote today https://discuss.python.org/t/pep-458-secure-pypi-downloads-with-package-sign... : this PEP on Friday. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
On 12/20/19 8:07 PM, Sumana Harihareswara wrote:
Hi, devpi folks! I figure you might want to take a look at the PyPI security PEP currently being discussed, since I could imagine devpi wanting to also add TUF metadata handling for packages, and in case there are interoperability concerns/questions.
https://discuss.python.org/t/pep-458-surviving-a-compromise-of-pypi/2648/
It looks like discussion about the actual meat and potatoes of this PEP has petered out. Unless someone has an objection, I intend to accept
The revised PEP 458 is at https://www.python.org/dev/peps/pep-0458/ as "PEP 458 -- Secure PyPI downloads with package signing." Discussion has been proceeding on Discourse. BDFL-Delegate Donald Stufft wrote today https://discuss.python.org/t/pep-458-secure-pypi-downloads-with-package-sign... : this PEP on Friday. -- Sumana Harihareswara Changeset Consulting https://changeset.nyc
participants (1)
-
Sumana Harihareswara