[Catalog-sig] V3 PEP-draft for transitioning to pypi-hosting of release files

Nick Coghlan ncoghlan at gmail.com
Thu Mar 14 15:39:46 CET 2013 

On Thu, Mar 14, 2013 at 7:13 AM, Justin Cappos <jcappos at poly.edu> wrote:
> Maybe a different way to say it is that the current TUF integration doc
> assumes that it is desirable to make minimal change to PyPI's layout and
> pip, easy_install, etc. while adding security.   We made several choices
> based upon this assumption, including using and retaining the /simple dir.

I think what you're proposing now is a pretty good place to state
(although I'm suggesting making it even simpler in the near term by
starting by focusing on the PyPI->end user link, and then moving to
delegating signing of the per-project metadata to the individual
projects as a later step)

> If the community wants a more 'clean-slate' design, we could put that
> together also.   This requires a lot of information specific to your setup
> and use cases so we'd appreciate collaboration with you guys to write that
> up.

I'd like to do a "distribution 2.0" at some point where we make the
simple index redundant by including that info (and more) directly in
the TUF metadata, but I think that's a "later" project - securing what
we have now is a better place to start.

Cheers,
Nick.

>
> Thanks,
> Justin
>
>
> On Thu, Mar 14, 2013 at 8:14 AM, Trishank Karthik Kuppusamy
> <tk47 at students.poly.edu> wrote:
>>
>> On 3/14/13 4:58 AM, holger krekel wrote:
>>>
>>>
>>> I haven't followed the latest TUF discussions and related docs in
>>> depths yet but if those developments will regard "simple/" as a
>>> deprecated
>>> interface, i think this PEP here should maybe not introduce
>>> "simple/-with-externals" as it will just make the situation more
>>> complicated for everyone to understand in a few months from now.
>>
>>
>> I haven't yet followed your PEP in as much depth as I would like, but I
>> wish to assure you that we do not regard "/simple/" as a deprecated
>> interface. In fact, we aim to preserve backwards-compatibility as much as
>> possible! :)
>>
>>
>> _______________________________________________
>> Catalog-SIG mailing list
>> Catalog-SIG at python.org
>> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>



-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Catalog-SIG mailing list