On Tue, May 7, 2019 at 10:01 AM Wes Turner <wes.tur...@gmail.com> wrote:
> What do namespaces offer over forking, diffing, reviewing the latest
> commits, and installing from your GH fork URL commit hash?
IIUC, one of the primary objectives for namespaces is to enable a user to
store state like ("We've reviewed this and consider this version acceptable
for our purposes")
PyPI already hosts 1 copy of each build of each version of each package for
everyon.
> When I try to install 'westurner/pip' and 'pip' is already installed, what
> should it do?
>
> Should pypa/setuptools_scm include the namespace in the version tag?
>
> If my concerns include integrity and availability in a risky environment,
> why rely upon PyPI for hosting (manylinux2010 binary) wheels at all? (You
> can run warehouse and/or devpi on-prem and keep that upgraded and baselined)
>
Or by privately hosting just a directory of packages and setting
PIP_INDEX_URL.
> Will pip throw an exception if my local warehouse or devpi package isn't
> signed with 'a key recognized by upstream'?
>
Will the TUF implementation need any changes to support namespaces?
"Roadmap update for TUF support"
https://github.com/pypa/warehouse/issues/5247
> "PyPI security work: multifactor auth progress & help needed"
>
https://discuss.python.org/t/pypi-security-work-multifactor-auth-progress-help-needed/1042/10
(Docker Notary does TUF today)
>
> On Monday, May 6, 2019, Dave Ashby via Distutils-SIG <
> distutils-sig@python.org> wrote:
>
>> Good evening distutils-sig-
>>
>> TL;DR: today during the Python Packaging Summit/Sprint I broached the
>> topic of introducing namespaces on PyPi with several of the luminaries in
>> the PyPA ecosystem. After much discussion I think we concluded that there’s
>> general support for the idea, but quite a number of devils in the details
>> that would need worked out. I’ve tried to capture much of the relevant
>> discussion on in the associated thread on discuss.python.org
>> <https://discuss.python.org/t/namespace-support-in-pypi/1609> (including
>> a first-pass at a draft PEP
>> <https://gist.github.com/vadave/f1f2d07f5e355c6263fc111aae634ea5>)
>> Please join in the conversation about whether/how namespaces should be
>> implemented in PyPi.
>>
>>
>>
>> Detail:
>>
>> The namespaces discussion had actually come up before the transition to
>> warehouse[1], but at the time it was deferred due to the effort associated
>> with that migration. Now that Warehouse is in a better place, it seems like
>> it’s time to reinvigorate this discussion. Most other programming languages
>> have some type of namespace construct that can be used to help better
>> manage the supply chain integrity. As I see it namespaces have the
>> potential to provide significant value to **both** package maintainers
>> and package consumers. For package maintainers it potentially offers a
>> higher-level of control over packages they are responsible for maintaining.
>> For package consumers it potentially offers a cleaner mechanism for “at a
>> glance” recognition of the source of a particular package (e.g. whether the
>> package is vendor-developed vs. community-developed or has a formal
>> relationship with some larger group like PyData).
>>
>>
>>
>> With all that said, my personal goal is for this PEP to serve kind of a
>> foundational role. I **don’t want** to try to exhaustively define all
>> the different scenarios that namespaces can/should be used to enable. I **do
>> want** namespaces to become a clear security-boundary that can be used
>> in “high compliance” environments to make security-related risk decisions.
>> And lastly, I **definitely don’t want** to replace the current global
>> namespace…..I view this as a complement, not a replacement to the current
>> situation.
>>
>>
>>
>> Finally, as this is my first post to this list I’ll offer the obligatory
>> “new guy” introduction. I started using Python about 4 years ago, so I
>> still consider myself a relative newbie. For my day job I’m an independent
>> consultant working with what I call “high compliance” customers…..folks
>> that really, really care about security and have lots of process baked
>> around how they manage security risk within their organization. I’m based
>> in Fairfax, VA. Most of what I do from day-to-day **is not** writing
>> python code, but rather working issues around IT architecture and
>> governance (with a general focus around enabling infrastructure such as
>> cloud services and devops tooling).
>>
>>
>>
>> Thanks to all the folks that offered their time and opinions on this
>> topic today. I look forward to continued dialogue on this, and welcome any
>> ideas or cautions folks may have about making this a reality. And remember:
>> “Namespaces are one honking great idea – let’s do more of those!”
>>
>> -d
>>
>>
>>
>>
>>
>> [1] Original feature request for adding namepsaces support:
>> https://github.com/pypa/warehouse/issues/2589
>>
>
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at
https://mail.python.org/archives/list/distutils-sig@python.org/message/4LNQBNZFSBSCM4WCHGSMO2VSNLLQAWQR/
