Hi! I'm forwarding this on behalf of Marina Moore https://github.com/mnm678 .
- Sumana Harihareswara ---
PEP 458 ( https://www.python.org/dev/peps/pep-0458/ ) proposes using The Update Framework (TUF) to allow users of PyPI to verify that the packages they install originate from PyPI. Implementing this PEP would provide protection in the event of an attack on PyPI, its mirrors, or the network used to install packages.
We started this PEP in 2013, and have recently revised it and restarted discussion.
Recent discussion and revision of the PEP has been taking place on Discourse ( https://discuss.python.org/t/pep-458-secure-pypi-downloads-with-package-sign... ).
The PEP is ready for review and I look forward to your feedback!
Thanks, Marina Moore PEP 458 coauthor
Donald Stufft wrote today https://discuss.python.org/t/pep-458-secure-pypi-downloads-with-package-sign... :
It looks like discussion about the actual meat and potatoes of this PEP has petered out. Unless someone has an objection, I intend to accept this PEP on Friday.