[Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

Donald Stufft donald at stufft.io
Fri Jan 2 17:26:16 CET 2015

> On Jan 2, 2015, at 11:14 AM, Vladimir Diaz <vladimir.v.diaz at gmail.com> wrote:
> Thanks for the great feedback - Nick, Donald, Paul, and Richard (off-list).
> I am totally fine with focusing on PEP 458 and applying the final coat of paint on this document.
> There's a lot of background documentation and technical details excluded from the PEPs (to avoid turning the PEP into a 15+ page behemoth), but I do agree that we should explicitly cover some of these implementation details in PEP 458.  Subsections on the exact format of metadata, explanation on how metadata is signed, and how the roles are "delegated" with the library, still remain.  As Paul as indicated, terminology can also be improved so as to be more readable for "non-experts."
> Let me know how we should collaborate on PEP 458 going forward.  Guido van Rossum made minor corrections to PEP 458, and requested we reflect his changes back to the version on Github.  We can either move hg.python.org/pep/pep-0458.txt <https://hg.python.org/peps/file/a532493ba99c/pep-0458.txt> to github.com/pypa <http://github.com/pypa> or github.com/theupdateframework/pep-on-pypi-with-tuf <http://github.com/theupdateframework/pep-on-pypi-with-tuf>.

As far as I’m concerned I’m willing to collab however is best for y’all. It appears you’re doing it on Github in the https://github.com/theupdateframework/pep-on-pypi-with-tuf repository so I’m happy to make PRs there. I’m also happy to make PRs elsewhere as well though I prefer somewhere on Github. I’ll sit down with PEP 458 maybe this weekend and see if I can crank out some PRs to refine it.

Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20150102/9cf28e41/attachment.html>

More information about the Distutils-SIG mailing list