My impression is this only holds for things signed directly by PyPI because
the developers have not registered a key. I think that developers who
register keys won't have this issue. Let's talk about this when you
return, but it's really projects / developers that will be stable in the
common ca
On Jul 17, 2013, at 9:29 PM, Trishank Karthik Kuppusamy
wrote:
> On 07/18/2013 03:24 AM, Ronald Oussoren wrote:
>> I'm trying to understand what this means for package maintainers. If I
>> understand you correctly maintainers would upload packages just like they do
>> now, and packages are th
On 07/18/2013 09:34 AM, Justin Cappos wrote:
My impression is this only holds for things signed directly by PyPI
because the developers have not registered a key. I think that
developers who register keys won't have this issue. Let's talk about
this when you return, but it's really projects
If there is not a compromise of PyPI, then all updates happen essentially
instantly.
Developers that do not sign packages and so PyPI signs them, may have their
newest packages remain unavailable for a period of up to 3 months *if there
is a compromise of PyPI*.
Thanks,
Justin
On Wed, Jul 17,
On Jul 17, 2013, at 9:52 PM, Justin Cappos wrote:
> If there is not a compromise of PyPI, then all updates happen essentially
> instantly.
>
> Developers that do not sign packages and so PyPI signs them, may have their
> newest packages remain unavailable for a period of up to 3 months *if
Sure.
The "stable" key is kept offline (not on PyPI). It knows who the
developers for projects are and delegates trust to them. So Django (for
example), has its key signed by this offline key.
The "bleeding-edge" key is kept online on PyPI. It is used to sign
project keys for projects newer
On 18 July 2013 12:06, Justin Cappos wrote:
> Sorry for any confusion about this. We will provide a bunch of other
> information soon (should we do this as a PEP?) along with example metadata
> and working code. We definitely appreciate any feedback.
It's probably too early for a PEP (since w
Okay, we'll get this together once Trishank returns and we've had a chance
to write up the latest.
Justin
On Wed, Jul 17, 2013 at 11:52 PM, Nick Coghlan wrote:
> On 18 July 2013 12:06, Justin Cappos wrote:
> > Sorry for any confusion about this. We will provide a bunch of other
> > informat
On Wed, Jul 17, 2013 at 21:46 -0400, Donald Stufft wrote:
> As I've mentioned before an online key (as is required by PyPI) means
> that if someone compromises PyPI they compromise the key. It seems to
> me that TUF is really designed to handle the case of the Linux
> distribution (or similar) wher
