[Distutils] Surviving a Compromise of PyPI - PEP 458 and 480
Nick Coghlan
ncoghlan at gmail.com
Wed Dec 31 02:24:54 CET 2014
On 23 December 2014 at 04:15, Vladimir Diaz <vladimir.v.diaz at gmail.com>
wrote:
> On Mon, Dec 22, 2014 at 11:30 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>
>> From my perspective, the split into two PEPs meant most of the areas I
>> have doubts about have been moved to the end-to-end security model in PEP
>> 480, leaving PEP 458 to cover the simpler task of securing the link from
>> PyPI to the end user in such a way that public mirrors of packages can be
>> trusted to accurately reflect the content published by PyPI.
>>
>
> I think splitting the proposal into two PEPs was the right decision. We
> hope working with Donald on the end-to-end security model (PEP 480), and
> feedback from the community will help to address any remaining questions.
> Excluding the end-to-end option from the revised version of PEP 458 also
> made room for an overview of the metadata and framework, which was
> requested by multiple members of the community.
>
An off-list question from Richard made me realise we should likely retitle
the two PEPs slightly. I'd suggest the following names:
PEP 458: Surviving a compromise of the PyPI CDN
PEP 480: Surviving a compromise of PyPI
That encapsulates the difference between the threat model of the two PEPs
in a way that the current titles don't quite convey (the reduced scope of
PEP 458 in particular means that the current title is actually outright
wrong - protecting against a compromise of PyPI itself is the scope that
was moved to PEP 480).
The reduced scope of PEP 458 also still protects against the compromise of
read-only mirrors, but I don't think we need to try to capture that
directly in the title.
Cheers,
Nick.
--
Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20141231/754074fb/attachment-0001.html>
More information about the Distutils-SIG
mailing list