On 23 December 2014 at 04:15, Vladimir Diaz <vladimir.v.diaz@gmail.com> wrote:
On Mon, Dec 22, 2014 at 11:30 AM, Nick Coghlan <ncoghlan@gmail.com> wrote:
From my perspective, the split into two PEPs meant most of the areas I have doubts about have been moved to the end-to-end security model in PEP 480, leaving PEP 458 to cover the simpler task of securing the link from PyPI to the end user in such a way that public mirrors of packages can be trusted to accurately reflect the content published by PyPI.

I think splitting the proposal into two PEPs was the right decision.  We hope working with Donald on the end-to-end security model (PEP 480), and feedback from the community will help to address any remaining questions.  Excluding the end-to-end option from the revised version of PEP 458 also made room for an overview of the metadata and framework, which was requested by multiple members of the community.

An off-list question from Richard made me realise we should likely retitle the two PEPs slightly. I'd suggest the following names:

PEP 458: Surviving a compromise of the PyPI CDN
PEP 480: Surviving a compromise of PyPI

That encapsulates the difference between the threat model of the two PEPs in a way that the current titles don't quite convey (the reduced scope of PEP 458 in particular means that the current title is actually outright wrong - protecting against a compromise of PyPI itself is the scope that was moved to PEP 480).

The reduced scope of PEP 458 also still protects against the compromise of read-only mirrors, but I don't think we need to try to capture that directly in the title.


Nick Coghlan   |   ncoghlan@gmail.com   |   Brisbane, Australia