Re: Adding namespace support to PyPi (continuation from PyPA Summit/Sprint)
Will the TUF implementation need any changes to support namespaces? In the minimum security model (PEP 458), namespaces should not affect TUF integration at all, since all target metadata (i.e. metadata about
packages uploaded to PyPI) are signed with keys owned by PyPI. In the maximum security model (PEP 480), PyPI delegates trust about packages to the packagers, i.e. the packagers sign TUF target metadata with their keys and upload it to PyPI along with the corresponding packages. The delegation is then **verified using package names**. So in the latter case, namespace ownership and delegation management are indeed related, as in, both deal with package name prefixes. However, I think this is more an organizational matter than something that needs implementation changes. Besides, from what I gather from the "Namespace support in pypi" discussion [1], it's not really clear yet, what namespace support actually means. [1] https://discuss.python.org/t/namespace-support-in-pypi/1609/17, -- lukas.puehringer@nyu.edu PGP fingerprint: 8BA6 9B87 D43B E294 F23E 8120 89A2 AD3C 07D9 62E8
participants (1)
-
Lukas Puehringer