From "TUF, Warehouse, Pip, PyPA, ld-signatures, ed25519"
Are there pypa/warehouse github issues for implementing the TUF trust
root support in warehouse; and client support in pip (or a module that pip and other tools can use)?
Read and review these PEPs:
"PEP 458 -- Surviving a Compromise of PyPI" https://www.python.org/dev/peps/pep-0458/"
"PEP 480 -- Surviving a Compromise of PyPI: The Maximum Security Model" https://www.python.org/dev/peps/pep-0480/
On Thursday, April 12, 2018, Trishank Kuppusamy < firstname.lastname@example.org> wrote:
On Wed, Apr 11, 2018 at 10:30 PM, Sumana Harihareswara email@example.com wrote:
Today, LWN published my new article "A new package index for Python". https://lwn.net/Articles/751458/ In it, I discuss security, policy, UX and developer experience changes in the 15+ years since PyPI's founding, new features (and deprecated old features) in Warehouse, and future plans. Plus: screenshots!
If you aren't already an LWN subscriber, you can use this subscriber link for the next week to read the article despite the LWN paywall. https://lwn.net/SubscriberLink/751458/81b2759e7025d6b9/
Thanks for the summary, and all your hard work, Sumana :)
Happy to see this bit about TUF in future horizons:
Warehouse's signature handling demonstrates a shift in Python's thinking
regarding key management and package signatures. Ideally, package users, software distributors, and package distribution tools would regularly use signatures to verify Python package integrity. For the most part, however, they don't, and there are major infrastructural barriers to them effectively doing so. Therefore, GPG/PGP signatures for packages are no longer visible in PyPI's web interface. Project maintainers can still attach signatures to their release uploads, and those signatures still appear in the Simple Project API as described in PEP 503. Stufft has made no secret of his opinion that "package signing is not the Holy Grail"; current discussion among packaging-tools developers leans toward removing signing features from another part of the Python packaging ecology (the wheel library) and working toward implementing The Update Framework instead. Relatedly, Warehouse, unlike legacy PyPI, does not provide an interface for users to manage GPG or SSH public keys.
We would love to help with this efforts any way we can.
-- curl https://keybase.io/trishankdatadog/pgp_keys.asc | gpg --import