[prev in list] [next in list] [prev in thread] [next in thread] 

List:       python-distutils-sig
Subject:    [Distutils] Re: Adding namespace support to PyPi (continuation from PyPA Summit/Sprint)
From:       Lukas Puehringer <lukas.puehringer () nyu ! edu>
Date:       2019-05-08 20:33:36
Message-ID: 6768ee38-653d-1028-5f92-821f0a63ba50 () nyu ! edu
[Download RAW message or body]

[Attachment #2 (multipart/signed)]

[Attachment #4 (multipart/mixed)]


> Will the TUF implementation need any changes to support namespaces?
> In the minimum security model (PEP 458), namespaces should not affect
TUF integration at all, since all target metadata (i.e. metadata about
packages uploaded to PyPI) are signed with keys owned by PyPI.

In the maximum security model (PEP 480), PyPI delegates trust about
packages to the packagers, i.e. the packagers sign TUF target metadata
with their keys and upload it to PyPI along with the corresponding
packages. The delegation is then **verified using package names**.

So in the latter case, namespace ownership and delegation management are
indeed related, as in, both deal with package name prefixes. However, I
think this is more an organizational matter than something that needs
implementation changes.

Besides, from what I gather from the "Namespace support in pypi"
discussion [1], it's not really clear yet, what namespace support
actually means.



[1] https://discuss.python.org/t/namespace-support-in-pypi/1609/17,

--=20
lukas.puehringer@nyu.edu
PGP fingerprint: 8BA6 9B87 D43B E294 F23E  8120 89A2 AD3C 07D9 62E8


["signature.asc" (application/pgp-signature)]

--
Distutils-SIG mailing list -- distutils-sig@python.org
To unsubscribe send an email to distutils-sig-leave@python.org
https://mail.python.org/mailman3/lists/distutils-sig.python.org/
Message archived at https://mail.python.org/archives/list/distutils-sig@python.org/message/GT74WUDLO3JYJDXFEY6QHOGZDIHV4P65/




[prev in list] [next in list] [prev in thread] [next in thread]