Thanks for the clarification, guys.

Donald, I'm not sure what you mean by "a compromise of the CDN for *uploading*".

On Wed Dec 31 2014 at 1:21:18 PM Donald Stufft <> wrote:
On Dec 30, 2014, at 8:24 PM, Nick Coghlan <> wrote:

On 23 December 2014 at 04:15, Vladimir Diaz <> wrote:
On Mon, Dec 22, 2014 at 11:30 AM, Nick Coghlan <> wrote:
From my perspective, the split into two PEPs meant most of the areas I have doubts about have been moved to the end-to-end security model in PEP 480, leaving PEP 458 to cover the simpler task of securing the link from PyPI to the end user in such a way that public mirrors of packages can be trusted to accurately reflect the content published by PyPI.

I think splitting the proposal into two PEPs was the right decision.  We hope working with Donald on the end-to-end security model (PEP 480), and feedback from the community will help to address any remaining questions.  Excluding the end-to-end option from the revised version of PEP 458 also made room for an overview of the metadata and framework, which was requested by multiple members of the community.

An off-list question from Richard made me realise we should likely retitle the two PEPs slightly. I'd suggest the following names:

PEP 458: Surviving a compromise of the PyPI CDN

This isn’t exactly right either, because it won’t survive a compromise of the CDN for *uploading*, but it might be close enough not to matter. Perhaps better would be something about not relying on TLS or something.

PEP 480: Surviving a compromise of PyPI

That encapsulates the difference between the threat model of the two PEPs in a way that the current titles don't quite convey (the reduced scope of PEP 458 in particular means that the current title is actually outright wrong - protecting against a compromise of PyPI itself is the scope that was moved to PEP 480).

The reduced scope of PEP 458 also still protects against the compromise of read-only mirrors, but I don't think we need to try to capture that directly in the title.


Nick Coghlan   |   |   Brisbane, Australia
Distutils-SIG maillist  -
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

Distutils-SIG maillist  -