[Distutils] Sooner or later, we're going to have to be more formal about how we name packages.
Trishank Karthik Kuppusamy
tk47 at students.poly.edu
Sun Jun 2 15:42:49 CEST 2013
On 6/2/13 4:21 AM, Nick Coghlan wrote:
> On Sun, Jun 2, 2013 at 5:37 PM, holger krekel <holger at merlinux.eu> wrote:
>> Speaking of TUF: is there some kind of PEP like doc floating already?
>
> Just the proof-of-concept the TUF folks created about using it to
> secure /simple. I'm personally sold on the technology itself as
> something we should deploy in the long run, but I think it makes sense
> to wait until we have the static dependency metadata publication and
> various other PyPI related infrastructure issues sorted out before we
> try to offer additional protection above and beyond trusting the SSL
> CA system and PyPI itself.
>
> That said, one of the reasons PEP 426 calls out the "essential
> dependency resolution" fields is that those are the ones I think it
> may make sense to embed in the TUF custom metadata fields.
>
Nick got our proof-of-concept pretty much right, and I just want to make
this correction: we offered security for both /simple and /packages, but
only for a subset of packages. We were working on securing all the
packages under PyPI, but were derailed by some projects with immediate
deadlines.
The good news is that we will be continuing our work full-time this
summer, and expect to make much progress.
We don't have a PEP for it, besides our design proposal[1]. I think a
PEP is a good idea, and we should draft one along the way.
[1]
https://docs.google.com/document/d/1sHMhgrGXNCvBZdmjVJzuoN5uMaUAUDWBmn3jo7vxjjw/edit?usp=sharing
More information about the Distutils-SIG
mailing list