[Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

Donald Stufft donald at stufft.io
Wed Dec 31 03:21:00 CET 2014 

> On Dec 30, 2014, at 8:24 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> 
> On 23 December 2014 at 04:15, Vladimir Diaz <vladimir.v.diaz at gmail.com <mailto:vladimir.v.diaz at gmail.com>> wrote:
> On Mon, Dec 22, 2014 at 11:30 AM, Nick Coghlan <ncoghlan at gmail.com <mailto:ncoghlan at gmail.com>> wrote:
> From my perspective, the split into two PEPs meant most of the areas I have doubts about have been moved to the end-to-end security model in PEP 480, leaving PEP 458 to cover the simpler task of securing the link from PyPI to the end user in such a way that public mirrors of packages can be trusted to accurately reflect the content published by PyPI.
> 
> I think splitting the proposal into two PEPs was the right decision.  We hope working with Donald on the end-to-end security model (PEP 480), and feedback from the community will help to address any remaining questions.  Excluding the end-to-end option from the revised version of PEP 458 also made room for an overview of the metadata and framework, which was requested by multiple members of the community.
> 
> An off-list question from Richard made me realise we should likely retitle the two PEPs slightly. I'd suggest the following names:
> 
> PEP 458: Surviving a compromise of the PyPI CDN

This isn’t exactly right either, because it won’t survive a compromise of the CDN for *uploading*, but it might be close enough not to matter. Perhaps better would be something about not relying on TLS or something.

> PEP 480: Surviving a compromise of PyPI
> 
> That encapsulates the difference between the threat model of the two PEPs in a way that the current titles don't quite convey (the reduced scope of PEP 458 in particular means that the current title is actually outright wrong - protecting against a compromise of PyPI itself is the scope that was moved to PEP 480).
> 
> The reduced scope of PEP 458 also still protects against the compromise of read-only mirrors, but I don't think we need to try to capture that directly in the title.
> 
> Cheers,
> Nick.
> 
> -- 
> Nick Coghlan   |   ncoghlan at gmail.com <mailto:ncoghlan at gmail.com>   |   Brisbane, Australia
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20141230/3ba76792/attachment.html>

More information about the Distutils-SIG mailing list