* Add non-goals section to clarify that this PEP does not remove support for GPG signatures.
* Update pep-0458.txt
Co-Authored-By: Trishank Karthik Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>
Co-authored-by: Trishank Karthik Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>
Add subsection to section "Managing Future Changes to the Update
Process" that explains how to transition from an old (e.g. because
it has become weak) to a new (e.g. stronger) hashing algorithm
without disrupting client workflows.
Uses static last stable version tag (v0.11.1), instead of dynamic
branch name (develop), when pointing to documents in the TUF
repository. This makes them more prone to become outdated but less
prone to 404.
Note, that the two referenced tuf publications are also available
under more permanent, albeit paywalled DOIs:
[2] https://doi.org/10.1145/1866307.1866315
[13] https://doi.org/10.1145/1455770.1455841
Facebook Research has now funded implementation of
cryptographic signing of packages on PyPI. Per
https://github.com/pypa/warehouse/issues/5247#issuecomment-535278176
this means that PEP 458 now moves out of Deferred
status and into Draft status.
Since the PEP was created, the BDFL-Delegate for
PyPI-related PEPs has shifted, and Donald Stufft
is now the Delegate.
PEP 458 now focuses on content security (rather than the current
transport-only security) between PyPI and end users.
PEP 480 builds on PEP 458 to also provide end-to-end security
that can fully handle a compromise of PyPI.
mnm678
Sumana Harihareswara
lukpueh
Trishank Karthik Kuppusamy
lukpueh
Min ho Kim
Brett Cannon
Mariatta
Huang Huang
Serhiy Storchaka
Marti Raudsepp
Guido van Rossum
Nick Coghlan