[Distutils] Summary of PyPI overhaul in new LWN article
Trishank Kuppusamy
trishank.kuppusamy at datadoghq.com
Thu Apr 12 11:58:09 EDT 2018
On Wed, Apr 11, 2018 at 10:30 PM, Sumana Harihareswara <sh at changeset.nyc>
wrote:
> Today, LWN published my new article "A new package index for Python".
> https://lwn.net/Articles/751458/ In it, I discuss security, policy, UX
> and developer experience changes in the 15+ years since PyPI's founding,
> new features (and deprecated old features) in Warehouse, and future
> plans. Plus: screenshots!
>
> If you aren't already an LWN subscriber, you can use this subscriber
> link for the next week to read the article despite the LWN paywall.
> https://lwn.net/SubscriberLink/751458/81b2759e7025d6b9/
Thanks for the summary, and all your hard work, Sumana :)
Happy to see this bit about TUF in future horizons:
Warehouse's signature handling demonstrates a shift in Python's thinking
> regarding key management and package signatures. Ideally, package users,
> software distributors, and package distribution tools would regularly use
> signatures to verify Python package integrity. For the most part, however,
> they don't, and there are major infrastructural barriers to them
> effectively doing so. Therefore, GPG/PGP signatures for packages are no
> longer visible in PyPI's web interface. Project maintainers can still
> attach signatures to their release uploads, and those signatures still
> appear in the Simple Project API as described in PEP 503. Stufft has made
> no secret of his opinion that "package signing is not the Holy Grail";
> current discussion among packaging-tools developers leans toward removing
> signing features from another part of the Python packaging ecology (the
> wheel library) and working toward implementing The Update Framework
> instead. Relatedly, Warehouse, unlike legacy PyPI, does not provide an
> interface for users to manage GPG or SSH public keys.
We would love to help with this efforts any way we can.
--
curl https://keybase.io/trishankdatadog/pgp_keys.asc | gpg --import
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20180412/a8331094/attachment.html>
More information about the Distutils-SIG
mailing list