PyPI & cryptographic signing and malware detection - seeking comment
Python Software Foundation has published a Request for Information seeking software developers to add these features to Warehouse (PyPI):
* Verifiable cryptographic signing of artifacts (PEP 458/TUF or simiilar) * Technical infrastructure and methods for automated detection of malicious package uploads
We'd like for potential contractors & other experts to keep discussion at the Discourse forum https://discuss.python.org/c/python-software-foundation/pypi-q4-rfi , especially on these questions:
• What methods should we implement to detect malicious content? https://discuss.python.org/t/what-methods-should-we-implement-to-detect-mali...
* PEPs 458 and 480 offer different levels of security; which (if either) should we implement? Which one has more appropriate operational efficacy? Should we use TUF (The Update Framework) or another approach? https://discuss.python.org/t/which-cryptographic-signing-approach/2241
and more generally:
* What should community acceptance criteria be? * How feasible is it to implement this on PyPI? * What features do PyPI administrators need to make use of these features in the future? * What work would the developer need to do to make these features more maintainable by future Warehouse maintainers?
Sorry, forgot to add:
Please comment by September 18th. That's when the RFI ends.
Then, the Request for Proposals period will be September 23-October 16. Then we aim to start work in December. (Timeline details are in RFI.)
On 9/3/19 10:40 AM, Sumana Harihareswara wrote: