In secure-systems-lab/peps#73 Figure 2 became Figure 1. This change
fixes a missed reference update.
It also removes a stray "and".
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
James Bennett pointed out that "package signing" is widely misunderstood
as referring specifically to end-to-end signing with individual
publisher keys, rather than to metdata signing in general.
This updates the title and abstract to instead use the term "signed
repository metadata", and also updates a few other sections that
still gave the impression that implementing PEP 458 would be
enough to give the full end-to-end signing support that is actually
covered in PEP 480.
* Made various edits and clarifications to the pep including:
* letting the PSF appoint offline key holders
* moving content from abstract to motivation to make the abstract more succinct
* updating the threat model
* resolving some minor inconsistencies
* add link to cncf blog post
* PEP 458: use "OpenPGP" instead of "GPG". The signature format is OpenPGP. Other
OpenPGP implementations exist aside from gpg, the OpenPGP tool from the GnuPG project.
* Add non-goals section to clarify that this PEP does not remove support for GPG signatures.
* Update pep-0458.txt
Co-Authored-By: Trishank Karthik Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>
Co-authored-by: Trishank Karthik Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>
Add subsection to section "Managing Future Changes to the Update
Process" that explains how to transition from an old (e.g. because
it has become weak) to a new (e.g. stronger) hashing algorithm
without disrupting client workflows.
Uses static last stable version tag (v0.11.1), instead of dynamic
branch name (develop), when pointing to documents in the TUF
repository. This makes them more prone to become outdated but less
prone to 404.
Note, that the two referenced tuf publications are also available
under more permanent, albeit paywalled DOIs:
[2] https://doi.org/10.1145/1866307.1866315
[13] https://doi.org/10.1145/1455770.1455841
Facebook Research has now funded implementation of
cryptographic signing of packages on PyPI. Per
https://github.com/pypa/warehouse/issues/5247#issuecomment-535278176
this means that PEP 458 now moves out of Deferred
status and into Draft status.
Since the PEP was created, the BDFL-Delegate for
PyPI-related PEPs has shifted, and Donald Stufft
is now the Delegate.
PEP 458 now focuses on content security (rather than the current
transport-only security) between PyPI and end users.
PEP 480 builds on PEP 458 to also provide end-to-end security
that can fully handle a compromise of PyPI.