Python Software Foundation has published a Request for Information
seeking software developers to add these features to Warehouse (PyPI):
* Verifiable cryptographic signing of artifacts (PEP 458/TUF or simiilar)
* Technical infrastructure and methods for automated detection of
malicious package uploads
More info:
https://github.com/python/request-for/blob/master/2019-Q4-PyPI/RFI.md
We'd like for potential contractors & other experts to keep discussion
at the Discourse forum
https://discuss.python.org/c/python-software-foundation/pypi-q4-rfi ,
especially on these questions:
• What methods should we implement to detect malicious content?
https://discuss.python.org/t/what-methods-should-we-implement-to-detect-malicious-content/2240/2
and
* PEPs 458 and 480 offer different levels of security; which (if either)
should we implement? Which one has more appropriate operational
efficacy? Should we use TUF (The Update Framework) or another approach?
https://discuss.python.org/t/which-cryptographic-signing-approach/2241
and more generally:
* What should community acceptance criteria be?
* How feasible is it to implement this on PyPI?
* What features do PyPI administrators need to make use of these
features in the future?
* What work would the developer need to do to make these features more
maintainable by future Warehouse maintainers?
--
Sumana Harihareswara
PyPI project manager
Changeset Consulting
https://changeset.nyc
--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-le...@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at
https://mail.python.org/archives/list/distutils-sig@python.org/message/RWV3CEWE4TFRWGQDJV2Q77CFNJLIF6BG/