In preparation for the 1.0.0** release of the TUF reference
implementation `python-tuf` documentation referenced in this PEP is
being moved. This patch updates the corresponding links in the PEP.
** See 059bfda391/docs/1.0.0-ANNOUNCEMENT.md
More specifically, the following link changes are performed:
- METADATA.md
to: metadata format section in TUF spec
Note: alternatively this could link to the new location of
METADATA.md (see theupdateframework/python-tuf#1769), but the spec
seems like a better resource
- TUTORIAL.md#repo-management
to: new metadata API doc on readthedocs and new repo
example/tutorial
- TUTORIAL.md#lazy-bin-walk
to: new hashed bin delegation example/tutorial
- client implementation
to: new client doc on readthedocs
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Changes detected by Topy (https://github.com/intgr/topy), all changes
verified by hand, false positives have been omitted.
These range from straight-out misspellings to debatable hyphen placement.
The hyphen changes are supported by grammar manuals of style.
In secure-systems-lab/peps#73 Figure 2 became Figure 1. This change
fixes a missed reference update.
It also removes a stray "and".
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
James Bennett pointed out that "package signing" is widely misunderstood
as referring specifically to end-to-end signing with individual
publisher keys, rather than to metdata signing in general.
This updates the title and abstract to instead use the term "signed
repository metadata", and also updates a few other sections that
still gave the impression that implementing PEP 458 would be
enough to give the full end-to-end signing support that is actually
covered in PEP 480.
* Made various edits and clarifications to the pep including:
* letting the PSF appoint offline key holders
* moving content from abstract to motivation to make the abstract more succinct
* updating the threat model
* resolving some minor inconsistencies
* add link to cncf blog post
* PEP 458: use "OpenPGP" instead of "GPG". The signature format is OpenPGP. Other
OpenPGP implementations exist aside from gpg, the OpenPGP tool from the GnuPG project.
* Add non-goals section to clarify that this PEP does not remove support for GPG signatures.
* Update pep-0458.txt
Co-Authored-By: Trishank Karthik Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>
Co-authored-by: Trishank Karthik Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>
Add subsection to section "Managing Future Changes to the Update
Process" that explains how to transition from an old (e.g. because
it has become weak) to a new (e.g. stronger) hashing algorithm
without disrupting client workflows.
Uses static last stable version tag (v0.11.1), instead of dynamic
branch name (develop), when pointing to documents in the TUF
repository. This makes them more prone to become outdated but less
prone to 404.
Note, that the two referenced tuf publications are also available
under more permanent, albeit paywalled DOIs:
[2] https://doi.org/10.1145/1866307.1866315
[13] https://doi.org/10.1145/1455770.1455841
Facebook Research has now funded implementation of
cryptographic signing of packages on PyPI. Per
https://github.com/pypa/warehouse/issues/5247#issuecomment-535278176
this means that PEP 458 now moves out of Deferred
status and into Draft status.
Since the PEP was created, the BDFL-Delegate for
PyPI-related PEPs has shifted, and Donald Stufft
is now the Delegate.
PEP 458 now focuses on content security (rather than the current
transport-only security) between PyPI and end users.
PEP 480 builds on PEP 458 to also provide end-to-end security
that can fully handle a compromise of PyPI.