>From "TUF, Warehouse, Pip, PyPA, ld-signatures, ed25519" https://mail.python.org/pipermail/distutils-sig/2018-March/032081.html :
> Are there pypa/warehouse github issues for implementing the TUF trust root support in warehouse; and client support in pip (or a module that pip and other tools can use)? Read and review these PEPs: "PEP 458 -- Surviving a Compromise of PyPI" https://www.python.org/dev/peps/pep-0458/"; "PEP 480 -- Surviving a Compromise of PyPI: The Maximum Security Model" https://www.python.org/dev/peps/pep-0480/ On Thursday, April 12, 2018, Trishank Kuppusamy < trishank.kuppus...@datadoghq.com> wrote: > On Wed, Apr 11, 2018 at 10:30 PM, Sumana Harihareswara <s...@changeset.nyc> > wrote: > >> Today, LWN published my new article "A new package index for Python". >> https://lwn.net/Articles/751458/ In it, I discuss security, policy, UX >> and developer experience changes in the 15+ years since PyPI's founding, >> new features (and deprecated old features) in Warehouse, and future >> plans. Plus: screenshots! >> >> If you aren't already an LWN subscriber, you can use this subscriber >> link for the next week to read the article despite the LWN paywall. >> https://lwn.net/SubscriberLink/751458/81b2759e7025d6b9/ > > > Thanks for the summary, and all your hard work, Sumana :) > > Happy to see this bit about TUF in future horizons: > > Warehouse's signature handling demonstrates a shift in Python's thinking >> regarding key management and package signatures. Ideally, package users, >> software distributors, and package distribution tools would regularly use >> signatures to verify Python package integrity. For the most part, however, >> they don't, and there are major infrastructural barriers to them >> effectively doing so. Therefore, GPG/PGP signatures for packages are no >> longer visible in PyPI's web interface. Project maintainers can still >> attach signatures to their release uploads, and those signatures still >> appear in the Simple Project API as described in PEP 503. Stufft has made >> no secret of his opinion that "package signing is not the Holy Grail"; >> current discussion among packaging-tools developers leans toward removing >> signing features from another part of the Python packaging ecology (the >> wheel library) and working toward implementing The Update Framework >> instead. Relatedly, Warehouse, unlike legacy PyPI, does not provide an >> interface for users to manage GPG or SSH public keys. > > > We would love to help with this efforts any way we can. > > -- > curl https://keybase.io/trishankdatadog/pgp_keys.asc | gpg --import >
