-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
PEP 458: update dead or outdated references #1178
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -50,7 +50,7 @@ work (none by clients), but it also proposes an easy-to-use key management | |
solution for developers, how to interface with a potential future build farm on | ||
PyPI infrastructure, and discusses the feasibility of end-to-end signing. | ||
|
||
__ https://github.com/theupdateframework/tuf/tree/develop/tuf/client#updaterpy | ||
__ https://github.com/theupdateframework/tuf/tree/v0.11.1/tuf/client#updaterpy | ||
|
||
|
||
PEP Status | ||
|
@@ -284,7 +284,7 @@ The `Metadata`__ document provides information about each of the required | |
metadata and their expected content. The next section covers the different | ||
kinds of metadata RECOMMENDED for PyPI. | ||
|
||
__ https://github.com/theupdateframework/tuf/blob/develop/METADATA.md | ||
__ https://github.com/theupdateframework/tuf/blob/v0.11.1/docs/METADATA.md | ||
|
||
|
||
PyPI and TUF Metadata | ||
|
@@ -349,7 +349,7 @@ Automation will continuously sign for a timestamped, snapshot of all projects. | |
A `repository management`__ tool is available that can sign metadata files, | ||
generate cryptographic keys, and manage a TUF repository. | ||
|
||
__ https://github.com/theupdateframework/tuf/tree/develop/tuf#repository-management | ||
__ https://github.com/theupdateframework/tuf/blob/v0.11.1/docs/TUTORIAL.md#how-to-create-and-modify-a-tuf-repository | ||
|
||
|
||
How to Establish Initial Trust in the PyPI Root Keys | ||
|
@@ -434,7 +434,7 @@ project signed for by the *bins* role. For example, applying this scheme to | |
the previous repository resulted in pip downloading between 1.3KB and 111KB to | ||
install or upgrade a PyPI project via TUF. | ||
|
||
__ https://github.com/theupdateframework/tuf/issues/39 | ||
__ https://github.com/theupdateframework/tuf/blob/v0.11.1/docs/TUTORIAL.md#delegate-to-hashed-bins | ||
|
||
Based on our findings as of the time of writing, PyPI SHOULD split all targets | ||
in the *bins* role by delegating them to 1024 delegated roles, each of which | ||
|
@@ -942,7 +942,7 @@ in this section: | |
distributions and manage keys is expected to render key signing an unused | ||
feature. | ||
|
||
__ https://minilock.io/ | ||
__ https://github.com/kaepora/miniLock | ||
|
||
3. A two-phase approach, where the minimum security model is implemented first | ||
followed by the maximum security model, can simplify matters and give PyPI | ||
|
@@ -1044,7 +1044,7 @@ References | |
========== | ||
|
||
.. [1] https://pypi.python.org | ||
.. [2] https://isis.poly.edu/~jcappos/papers/samuel_tuf_ccs_2010.pdf | ||
.. [2] https://theupdateframework.github.io/papers/survivable-key-compromise-ccs2010.pdf | ||
.. [3] http://www.pip-installer.org | ||
.. [4] https://wiki.python.org/moin/WikiAttack2013 | ||
.. [5] https://github.com/theupdateframework/pip/wiki/Attacks-on-software-repositories | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. FYI, I left this link. although the wiki page it points to doesn't list any attacks after 2016. I did, however, update that wiki page to direct the reader to a broader and more up to date collection of supply chain compromises. |
||
|
@@ -1057,19 +1057,19 @@ References | |
.. [11] https://mail.python.org/pipermail/distutils-sig/2013-May/020848.html | ||
.. [12] PEP 449, Removal of the PyPI Mirror Auto Discovery and Naming Scheme, Stufft | ||
http://www.python.org/dev/peps/pep-0449/ | ||
.. [13] https://isis.poly.edu/~jcappos/papers/cappos_mirror_ccs_08.pdf | ||
.. [13] https://theupdateframework.github.io/papers/attacks-on-package-managers-ccs2008.pdf | ||
.. [14] https://mail.python.org/pipermail/distutils-sig/2013-September/022755.html | ||
.. [15] https://pypi.python.org/security | ||
.. [16] https://github.com/theupdateframework/tuf/blob/develop/docs/tuf-spec.txt | ||
.. [16] https://github.com/theupdateframework/specification/blob/master/tuf-spec.md | ||
.. [17] PEP 426, Metadata for Python Software Packages 2.0, Coghlan, Holth, Stufft | ||
http://www.python.org/dev/peps/pep-0426/ | ||
.. [18] https://en.wikipedia.org/wiki/Continuous_delivery | ||
.. [19] https://mail.python.org/pipermail/distutils-sig/2013-August/022154.html | ||
.. [20] https://en.wikipedia.org/wiki/RSA_%28algorithm%29 | ||
.. [21] https://en.wikipedia.org/wiki/Key-recovery_attack | ||
.. [22] http://csrc.nist.gov/publications/nistpubs/800-57/SP800-57-Part1.pdf | ||
.. [22] https://doi.org/10.6028/NIST.SP.800-57pt1r4 | ||
.. [23] https://www.openssl.org/ | ||
.. [24] https://pypi.python.org/pypi/pycrypto | ||
.. [24] https://github.com/pyca/cryptography | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This used to point to pycrypto, which is not used anymore in the TUF reference implementation. Instead it uses cryptography and PyNaCl, both optionally, and ed25519 for a minimal pure Python installation. On a side note, the TUF team is also working on support for OpenPGP with gnupg (#174), HSM signing with PyKCS11 (#170), and SPHINCS + with PySPX (#169). Let me know if any of this information should be incorporated in the PEP. |
||
.. [25] http://ed25519.cr.yp.to/ | ||
.. [26] https://www.python.org/dev/peps/pep-0480/ | ||
.. [27] https://pyfound.blogspot.com/2019/09/pypi-security-q4-2019-request-for.html | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have only corrected the link here (seems like minilock.io has a new owner). However, I suggest to update the entire reference to something like YubiKey, or another contemporary alternative. If desired I can do it as part of this PR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, please add this too!