[Distutils] Surviving a Compromise of PyPI - PEP 458 and 480

Vladimir Diaz vladimir.v.diaz at gmail.com
Fri Jan 2 17:47:56 CET 2015 

I prefer pulling the TUF PEPs (available on hg.python.org) into
github.com/pypa.

Please add Justin, Linda, Trishank, and myself as collaborators:

https://github.com/vladimir-v-diaz
https://github.com/dachshund
https://github.com/JustinCappos
https://github.com/lvigdor

P.S. Donald helped tremendously with the snapshot process, Ed25519 library,
ideas, and feedback.  I think that earns a spot on the authors list.


On Fri, Jan 2, 2015 at 11:30 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:

> On 3 January 2015 at 02:26, Donald Stufft <donald at stufft.io> wrote:
>
>>
>> On Jan 2, 2015, at 11:14 AM, Vladimir Diaz <vladimir.v.diaz at gmail.com>
>> wrote:
>>
>> Thanks for the great feedback - Nick, Donald, Paul, and Richard
>> (off-list).
>>
>> I am totally fine with focusing on PEP 458 and applying the final coat of
>> paint on this document.
>>
>> There's a lot of background documentation and technical details excluded
>> from the PEPs (to avoid turning the PEP into a 15+ page behemoth), but I do
>> agree that we should explicitly cover some of these implementation details
>> in PEP 458.  Subsections on the exact format of metadata, explanation on
>> how metadata is signed, and how the roles are "delegated" with the library,
>> still remain.  As Paul as indicated, terminology can also be improved so as
>> to be more readable for "non-experts."
>>
>> Let me know how we should collaborate on PEP 458 going forward.  Guido
>> van Rossum made minor corrections to PEP 458, and requested we reflect his
>> changes back to the version on Github.  We can either move
>> hg.python.org/pep/pep-0458.txt
>> <https://hg.python.org/peps/file/a532493ba99c/pep-0458.txt> to
>> github.com/pypa or github.com/theupdateframework/pep-on-pypi-with-tuf.
>>
>>
>> As far as I’m concerned I’m willing to collab however is best for y’all.
>> It appears you’re doing it on Github in the
>> https://github.com/theupdateframework/pep-on-pypi-with-tuf repository so
>> I’m happy to make PRs there. I’m also happy to make PRs elsewhere as well
>> though I prefer somewhere on Github. I’ll sit down with PEP 458 maybe this
>> weekend and see if I can crank out some PRs to refine it.
>>
>
> It probably makes sense to pull the TUF PEPs into the new
> pypa/interoperability-peps repo with the rest of them, and add Vladimir et
> al as developers on that repo (or just to the general PyPA developers
> group).
>
> Cheers,
> Nick.
>
> --
> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20150102/d45c441f/attachment.html>

More information about the Distutils-SIG mailing list