Discussion:
Summary of PyPI overhaul in new LWN article
Sumana Harihareswara
2018-04-12 02:30:49 UTC
Permalink
Today, LWN published my new article "A new package index for Python".
https://lwn.net/Articles/751458/ In it, I discuss security, policy, UX
and developer experience changes in the 15+ years since PyPI's founding,
new features (and deprecated old features) in Warehouse, and future
plans. Plus: screenshots!

If you aren't already an LWN subscriber, you can use this subscriber
link for the next week to read the article despite the LWN paywall.
https://lwn.net/SubscriberLink/751458/81b2759e7025d6b9/

This summary should help occasional Python programmers -- and frequent
Pythonists who don't follow packaging/distro discussions closely --
understand why a new application is necessary, what's new, what features
are going away, and what to expect in the near future. I also hope it
catches the attention of downstreams that ought to migrate.
--
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc
Wes Turner
2018-04-12 17:22:55 UTC
Permalink
From "TUF, Warehouse, Pip, PyPA, ld-signatures, ed25519"
Are there pypa/warehouse github issues for implementing the TUF trust
root support in warehouse; and client support in pip (or a module that pip
and other tools can use)?

Read and review these PEPs:

"PEP 458 -- Surviving a Compromise of PyPI"
https://www.python.org/dev/peps/pep-0458/"

"PEP 480 -- Surviving a Compromise of PyPI: The Maximum Security Model"
https://www.python.org/dev/peps/pep-0480/

On Thursday, April 12, 2018, Trishank Kuppusamy <
Post by Sumana Harihareswara
Today, LWN published my new article "A new package index for Python".
https://lwn.net/Articles/751458/ In it, I discuss security, policy, UX
and developer experience changes in the 15+ years since PyPI's founding,
new features (and deprecated old features) in Warehouse, and future
plans. Plus: screenshots!
If you aren't already an LWN subscriber, you can use this subscriber
link for the next week to read the article despite the LWN paywall.
https://lwn.net/SubscriberLink/751458/81b2759e7025d6b9/
Thanks for the summary, and all your hard work, Sumana :)
Warehouse's signature handling demonstrates a shift in Python's thinking
Post by Sumana Harihareswara
regarding key management and package signatures. Ideally, package users,
software distributors, and package distribution tools would regularly use
signatures to verify Python package integrity. For the most part, however,
they don't, and there are major infrastructural barriers to them
effectively doing so. Therefore, GPG/PGP signatures for packages are no
longer visible in PyPI's web interface. Project maintainers can still
attach signatures to their release uploads, and those signatures still
appear in the Simple Project API as described in PEP 503. Stufft has made
no secret of his opinion that "package signing is not the Holy Grail";
current discussion among packaging-tools developers leans toward removing
signing features from another part of the Python packaging ecology (the
wheel library) and working toward implementing The Update Framework
instead. Relatedly, Warehouse, unlike legacy PyPI, does not provide an
interface for users to manage GPG or SSH public keys.
We would love to help with this efforts any way we can.
--
curl https://keybase.io/trishankdatadog/pgp_keys.asc | gpg --import
Loading...