PEP 458: update dead or outdated references #1178
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -50,7 +50,7 @@ work (none by clients), but it also proposes an easy-to-use key management | |
| solution for developers, how to interface with a potential future build farm on | ||
| PyPI infrastructure, and discusses the feasibility of end-to-end signing. | ||
|
|
||
| __ https://github.com/theupdateframework/tuf/tree/v0.11.1/tuf/client#updaterpy | ||
|
|
||
|
|
||
| PEP Status | ||
|
|
@@ -284,7 +284,7 @@ The `Metadata`__ document provides information about each of the required | |
| metadata and their expected content. The next section covers the different | ||
| kinds of metadata RECOMMENDED for PyPI. | ||
|
|
||
| __ https://github.com/theupdateframework/tuf/blob/v0.11.1/docs/METADATA.md | ||
|
|
||
|
|
||
| PyPI and TUF Metadata | ||
|
|
@@ -349,7 +349,7 @@ Automation will continuously sign for a timestamped, snapshot of all projects. | |
| A `repository management`__ tool is available that can sign metadata files, | ||
| generate cryptographic keys, and manage a TUF repository. | ||
|
|
||
| __ https://github.com/theupdateframework/tuf/blob/v0.11.1/docs/TUTORIAL.md#how-to-create-and-modify-a-tuf-repository | ||
|
|
||
|
|
||
| How to Establish Initial Trust in the PyPI Root Keys | ||
|
|
@@ -434,7 +434,7 @@ project signed for by the *bins* role. For example, applying this scheme to | |
| the previous repository resulted in pip downloading between 1.3KB and 111KB to | ||
| install or upgrade a PyPI project via TUF. | ||
|
|
||
| __ https://github.com/theupdateframework/tuf/blob/v0.11.1/docs/TUTORIAL.md#delegate-to-hashed-bins | ||
|
|
||
| Based on our findings as of the time of writing, PyPI SHOULD split all targets | ||
| in the *bins* role by delegating them to 1024 delegated roles, each of which | ||
|
|
@@ -942,7 +942,7 @@ in this section: | |
| distributions and manage keys is expected to render key signing an unused | ||
| feature. | ||
|
|
||
| __ https://github.com/kaepora/miniLock | ||
|
|
||
| 3. A two-phase approach, where the minimum security model is implemented first | ||
| followed by the maximum security model, can simplify matters and give PyPI | ||
|
|
@@ -1044,7 +1044,7 @@ References | |
| ========== | ||
|
|
||
| .. [1] https://pypi.python.org | ||
| .. [2] https://theupdateframework.github.io/papers/survivable-key-compromise-ccs2010.pdf | ||
| .. [3] http://www.pip-installer.org | ||
| .. [4] https://wiki.python.org/moin/WikiAttack2013 | ||
| .. [5] https://github.com/theupdateframework/pip/wiki/Attacks-on-software-repositories | ||
|
There was a problem hiding this comment. FYI, I left this link. although the wiki page it points to doesn't list any attacks after 2016. I did, however, update that wiki page to direct the reader to a broader and more up to date collection of supply chain compromises. |
||
|
|
@@ -1057,19 +1057,19 @@ References | |
| .. [11] https://mail.python.org/pipermail/distutils-sig/2013-May/020848.html | ||
| .. [12] PEP 449, Removal of the PyPI Mirror Auto Discovery and Naming Scheme, Stufft | ||
| http://www.python.org/dev/peps/pep-0449/ | ||
| .. [13] https://theupdateframework.github.io/papers/attacks-on-package-managers-ccs2008.pdf | ||
| .. [14] https://mail.python.org/pipermail/distutils-sig/2013-September/022755.html | ||
| .. [15] https://pypi.python.org/security | ||
| .. [16] https://github.com/theupdateframework/specification/blob/master/tuf-spec.md | ||
| .. [17] PEP 426, Metadata for Python Software Packages 2.0, Coghlan, Holth, Stufft | ||
| http://www.python.org/dev/peps/pep-0426/ | ||
| .. [18] https://en.wikipedia.org/wiki/Continuous_delivery | ||
| .. [19] https://mail.python.org/pipermail/distutils-sig/2013-August/022154.html | ||
| .. [20] https://en.wikipedia.org/wiki/RSA_%28algorithm%29 | ||
| .. [21] https://en.wikipedia.org/wiki/Key-recovery_attack | ||
| .. [22] https://doi.org/10.6028/NIST.SP.800-57pt1r4 | ||
| .. [23] https://www.openssl.org/ | ||
| .. [24] https://github.com/pyca/cryptography | ||
|
There was a problem hiding this comment. This used to point to pycrypto, which is not used anymore in the TUF reference implementation. Instead it uses cryptography and PyNaCl, both optionally, and ed25519 for a minimal pure Python installation. On a side note, the TUF team is also working on support for OpenPGP with gnupg (#174), HSM signing with PyKCS11 (#170), and SPHINCS + with PySPX (#169). Let me know if any of this information should be incorporated in the PEP. |
||
| .. [25] http://ed25519.cr.yp.to/ | ||
| .. [26] https://www.python.org/dev/peps/pep-0480/ | ||
| .. [27] https://pyfound.blogspot.com/2019/09/pypi-security-q4-2019-request-for.html | ||
|
|
||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have only corrected the link here (seems like minilock.io has a new owner). However, I suggest to update the entire reference to something like YubiKey, or another contemporary alternative. If desired I can do it as part of this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, please add this too!