Re: PyPI & cryptographic signing and malware detection - seeking comment
Sorry, forgot to add: Please comment by September 18th. That's when the RFI ends. Then, the Request for Proposals period will be September 23-October 16. Then we aim to start work in December. (Timeline details are in RFI.) On 9/3/19 10:40 AM, Sumana Harihareswara wrote: https://github.com/python/request-for/blob/master/2019-Q4-PyPI/RFI.md -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/8908a599-c731-7177-dc9a-08a703797871%40changeset.nyc.
PyPI & cryptographic signing and malware detection - seeking comment
Python Software Foundation has published a Request for Information seeking software developers to add these features to Warehouse (PyPI): * Verifiable cryptographic signing of artifacts (PEP 458/TUF or simiilar) * Technical infrastructure and methods for automated detection of malicious package uploads More info: https://github.com/python/request-for/blob/master/2019-Q4-PyPI/RFI.md We'd like for potential contractors & other experts to keep discussion at the Discourse forum https://discuss.python.org/c/python-software-foundation/pypi-q4-rfi , especially on these questions: • What methods should we implement to detect malicious content? https://discuss.python.org/t/what-methods-should-we-implement-to-detect-malicious-content/2240/2 and * PEPs 458 and 480 offer different levels of security; which (if either) should we implement? Which one has more appropriate operational efficacy? Should we use TUF (The Update Framework) or another approach? https://discuss.python.org/t/which-cryptographic-signing-approach/2241 and more generally: * What should community acceptance criteria be? * How feasible is it to implement this on PyPI? * What features do PyPI administrators need to make use of these features in the future? * What work would the developer need to do to make these features more maintainable by future Warehouse maintainers? -- Sumana Harihareswara PyPI project manager Changeset Consulting https://changeset.nyc -- You received this message because you are subscribed to the Google Groups "pypa-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to pypa-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/pypa-dev/77331a86-c8b3-bd1c-105d-d75892b8df9f%40changeset.nyc.