iSharkFly-Open
/
python-peps
mirror of https://github.com/python/peps.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

PEP 458: Clarify sequence of PyPI and pip integration (#2789)

This commit is contained in:
Sumana Harihareswara 2022-10-22 03:47:47 -04:00 committed by GitHub
parent ed92c0697c
commit 1838f20010
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
pep-0458.txt
View File

@ -329,7 +329,11 @@ Integrating PyPI with TUF
=========================
A software update system must complete two main tasks to integrate with TUF.
First, it must add the framework to the client side of the update system. For
First, the repository on the server side MUST be modified to provide signed
TUF metadata. This PEP is concerned with the first part of the integration,
and the changes on PyPI required to support software updates with TUF.
Second, it must add the framework to the client side of the update system. For
example, TUF MAY be integrated with the pip package manager. Thus, new versions
of pip going forward SHOULD use TUF by default to download and verify distributions
from PyPI before installing them. However, there may be unforeseen issues that
@ -340,9 +344,6 @@ until they are resolved. Note, the proposed option name is purposefully long,
because a user must be helped to understand that the action is unsafe and not
generally recommended.
Second, the repository on the server side MUST be modified to provide signed
TUF metadata. This PEP is concerned with the second part of the integration,
and the changes on PyPI required to support software updates with TUF.
We assume that pip would use TUF to verify distributions downloaded only from PyPI.
pip MAY support TAP 4__ in order use TUF to also verify distributions downloaded
from :pep:`elsewhere <470>`.