Commit Graph

32 Commits

Author SHA1 Message Date
Cristina 16ca065396
PEP 458: correct spelling of 'infrastucture' (#1329) 2020-03-12 11:46:26 +11:00
Ernest W. Durbin III 6a48fa75e9
PEP 458: Fix figure reference and typo (#1326)
In secure-systems-lab/peps#73 Figure 2 became Figure 1. This change
fixes a missed reference update.

It also removes a stray "and".

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2020-03-05 08:58:08 -05:00
Nick Coghlan af0691db4b
PEP 458: Use 'signed repository metadata' terminology (#1308)
James Bennett pointed out that "package signing" is widely misunderstood
as referring specifically to end-to-end signing with individual
publisher keys, rather than to metdata signing in general.

This updates the title and abstract to instead use the term "signed
repository metadata", and also updates a few other sections that
still gave the impression that implementing PEP 458 would be
enough to give the full end-to-end signing support that is actually
covered in PEP 480.
2020-02-21 08:31:29 +10:00
Nick Coghlan 4751318c7e
PEP 458: Mark as Accepted (#1306) 2020-02-15 19:22:42 +10:00
Trishank Karthik Kuppusamy 5a9de97e0d
PEP 458: update list of authors (#1295)
* update authors

* update email address & acknowledgements
2020-02-05 04:57:22 +11:00
mnm678 202ab85bde
PEP 458: Consistency & clarification edit (#1284)
* Made various edits and clarifications to the pep including:

* letting the PSF appoint offline key holders
* moving content from abstract to motivation to make the abstract more succinct
* updating the threat model
* resolving some minor inconsistencies
* add link to cncf blog post
2020-01-30 08:08:21 +10:00
dkg 17710b8798
PEP 458: use "OpenPGP" instead of "GPG" (#1287)
* PEP 458: use "OpenPGP" instead of "GPG".  The signature format is OpenPGP.  Other
OpenPGP implementations exist aside from gpg, the OpenPGP tool from the GnuPG project.
2020-01-30 06:02:31 +11:00
mnm678 d6fa383389 PEP 458: Allow compression of json metadata (#1281)
* Allow compression of json metadata

* Update pep-0458.txt

Co-Authored-By: Trishank Karthik Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>

Co-authored-by: Trishank Karthik Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>
2020-01-26 09:39:36 +10:00
mnm678 ace82afc14 PEP 458: Add non-goals section (#1280)
* Add non-goals section to clarify that this PEP does not remove support for GPG signatures.

* Update pep-0458.txt

Co-Authored-By: Trishank Karthik Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>

Co-authored-by: Trishank Karthik Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>
2020-01-24 06:58:25 +10:00
Sumana Harihareswara 56ed98a227 PEP 458: Add Post-History header (#1270)
Signed-off-by: Sumana Harihareswara <sh@changeset.nyc>
2020-01-08 06:39:41 +10:00
lukpueh 28cc445dca PEP 458: add hash algorithm transition plan (#1253)
Add subsection to section "Managing Future Changes to the Update
Process" that explains how to transition from an old (e.g. because
it has become weak) to a new (e.g. stronger) hashing algorithm
without disrupting client workflows.
2020-01-07 21:04:49 +10:00
mnm678 cf656ba7c5 PEP 458: Update Discussions-To to the Discourse thread (#1269) 2020-01-05 12:06:56 +10:00
mnm678 c6fa90376e PEP 458: Add abstract per discussion here: https://discuss.python.org/t/pep-458-surviving-a-compromise-of-pypi/2648/52 (#1268) 2020-01-05 12:05:45 +10:00
Sumana Harihareswara 99dd06f78e PEP 458: Change title to clarify intent (#1247)
* PEP 458: Change title to clarify intent

Per conversation in
https://discuss.python.org/t/pep-458-surviving-a-compromise-of-pypi/2648/21

about problems with current title, and and per former PEP coauthor
Vladimir Diaz in
https://mail.python.org/archives/list/distutils-sig@python.org/thread/TXM2O34TMSHH5U6WA2IF7XKO5J3G5NQQ/#3QLN4KECII6KULKYXS7U4CVBEPGK4B6S

Signed-off-by: Sumana Harihareswara <sh@changeset.nyc>

* PEP 458: Improve title

Change "link" which misleadingly implied transport level
security.

Signed-off-by: Sumana Harihareswara <sh@changeset.nyc>
2020-01-04 01:16:25 +11:00
Sumana Harihareswara 33b62136d8 PEP 458: Add sponsor and update status (#1261)
Signed-off-by: Sumana Harihareswara <sh@changeset.nyc>
2019-12-23 13:07:03 +10:00
Trishank Karthik Kuppusamy 6d34b869c7 PEP 458: fix technical choices and remove ambiguity (#1203) 2019-12-02 13:42:40 -08:00
lukpueh b1f8c71951 PEP 458: update dead or outdated references (#1178)
Uses static last stable version tag (v0.11.1), instead of dynamic
branch name (develop), when pointing to documents in the TUF
repository. This makes them more prone to become outdated but less
prone to 404.

Note, that the two referenced tuf publications are also available
under more permanent, albeit paywalled DOIs:
[2] https://doi.org/10.1145/1866307.1866315
[13] https://doi.org/10.1145/1455770.1455841
2019-09-30 15:14:38 -07:00
Sumana Harihareswara 75467baf69 Move PEP 458 to Draft status and update Delegate (#1177)
Facebook Research has now funded implementation of
cryptographic signing of packages on PyPI. Per
https://github.com/pypa/warehouse/issues/5247#issuecomment-535278176
this means that PEP 458 now moves out of Deferred
status and into Draft status.

Since the PEP was created, the BDFL-Delegate for
PyPI-related PEPs has shifted, and Donald Stufft
is now the Delegate.
2019-09-26 12:12:20 -07:00
Min ho Kim cfb7bd74db Fix typos (#1113) 2019-07-03 11:20:45 -07:00
Min ho Kim e54097d3c4 Fix typos in various PEPs (#1111) 2019-06-24 21:58:50 -07:00
Brett Cannon 24761a120c
Defer PEP 458 (#931) 2019-03-21 12:53:57 -07:00
Mariatta cf3bad5ab3
Revert "Rename all .txt PEP files to .rst (GH-462)" (GH-464)
This reverts commit bb0e518ed3.
2017-11-11 11:28:55 -08:00
Huang Huang bb0e518ed3 Rename all .txt PEP files to .rst (GH-462)
For https://github.com/python/peps/issues/1
2017-11-11 10:30:43 -08:00
Serhiy Storchaka a53392a0f0 Remove trailing spaces. (#232)
Changes made automatically by the following command:
```
egrep -l ' +$' *.txt | xargs sed -i -re 's/ +$//'
```
2017-03-24 23:11:33 +02:00
Marti Raudsepp 04a6af2ab1 Fix various typos, spelling and grammar errors
Errors detected using Topy (https://github.com/intgr/topy), all changes
verified by hand.
2016-07-11 18:35:35 +03:00
Serhiy Storchaka 3dad438872 Issue #26916: Fixed words duplications. 2016-05-03 12:03:16 +03:00
Guido van Rossum d22d03825f Touch two PEPs with figures to force re-import on www.python.org. 2014-12-08 19:01:14 -08:00
Guido van Rossum 906fec97d7 Move PEP 458 figures out of subdirectory. 2014-11-25 16:43:59 -08:00
Guido van Rossum 70ca01847a Updates and figures for PEP 458 and PEP 480 by Vladimir Diaz. 2014-11-25 09:45:28 -08:00
Nick Coghlan 26898355d5 Split PEP 458 into two distinct PEPs
PEP 458 now focuses on content security (rather than the current
transport-only security) between PyPI and end users.

PEP 480 builds on PEP 458 to also provide end-to-end security
that can fully handle a compromise of PyPI.
2014-11-19 21:43:04 +10:00
Nick Coghlan 578f7d96ac PEP 458: remove Windows line endings 2014-11-19 21:34:40 +10:00
Nick Coghlan d7061c0d55 Add PEP 458: Surviving a compromise of PyPI 2013-11-15 22:20:14 +10:00