[Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

[Nick Coghlan]

On 23 December 2014 at 04:15, Vladimir Diaz <vladimir.v.diaz at gmail.com>
wrote:

> On Mon, Dec 22, 2014 at 11:30 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>
>> From my perspective, the split into two PEPs meant most of the areas I
>> have doubts about have been moved to the end-to-end security model in PEP
>> 480, leaving PEP 458 to cover the simpler task of securing the link from
>> PyPI to the end user in such a way that public mirrors of packages can be
>> trusted to accurately reflect the content published by PyPI.
>>
>
> I think splitting the proposal into two PEPs was the right decision.  We
> hope working with Donald on the end-to-end security model (PEP 480), and
> feedback from the community will help to address any remaining questions.
> Excluding the end-to-end option from the revised version of PEP 458 also
> made room for an overview of the metadata and framework, which was
> requested by multiple members of the community.
>

An off-list question from Richard made me realise we should likely retitle
the two PEPs slightly. I'd suggest the following names:

PEP 458: Surviving a compromise of the PyPI CDN
PEP 480: Surviving a compromise of PyPI

That encapsulates the difference between the threat model of the two PEPs
in a way that the current titles don't quite convey (the reduced scope of
PEP 458 in particular means that the current title is actually outright
wrong - protecting against a compromise of PyPI itself is the scope that
was moved to PEP 480).

The reduced scope of PEP 458 also still protects against the compromise of
read-only mirrors, but I don't think we need to try to capture that
directly in the title.

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20141231/754074fb/attachment-0001.html>