diff --git a/pep-0480.txt b/pep-0480.txt index 8296ed8684d2..190f0beba470 100644 --- a/pep-0480.txt +++ b/pep-0480.txt @@ -4,10 +4,10 @@ Version: $Revision$ Last-Modified: $Date$ Author: Trishank Karthik Kuppusamy , Vladimir Diaz , - Justin Cappos -BDFL-Delegate: Richard Jones -Discussions-To: DistUtils mailing list -Status: Deferred + Justin Cappos , Marina Moore +BDFL-Delegate: Paul Moore +Discussions-To: Packaging category on Python Discourse +Status: Draft Type: Standards Track Content-Type: text/x-rst Requires: 458 @@ -56,8 +56,12 @@ distributions. PEP Status ========== -Due to the amount of work required to implement this PEP, it is deferred until -appropriate funding can be secured to implement the PEP. +The community discussed this PEP from 2014 to 2018. Due to the amount +of work required to implement this PEP, discussion was deferred until +after approval for the precursor step in PEP 458. As of mid-2020 PEP +458 is approved and implementation is in progress, and the PEP authors +aim to gain approval so they can secure appropriate funding for +implementation. Rationale @@ -276,7 +280,7 @@ Files, and Key Management) cover the cryptographic components of the developer release process. That is, which key type PyPI supports, how keys may be stored, and how keys may be generated. The two subsections that follow the first three discuss the PyPI modules that SHOULD be modified to support TUF -metadata. For example, Twine and Distutils are two projects that SHOULD be +metadata. For example, Twine and Distlib are two projects that SHOULD be modified. Finally, the last subsection goes over the automated key management and signing solution that is RECOMMENDED for the signing tools. @@ -341,14 +345,15 @@ distributions, and prevents MITM attacks on usernames and passwords. __ https://github.com/pypa/twine -Distutils ---------- +Distlib +------- -`Distutils`__ MAY be modified to sign metadata and to upload signed distributions -to PyPI. Distutils comes packaged with CPython and is the most widely-used -tool for uploading distributions to PyPI. +`Distlib`__ MAY be modified to sign metadata and to upload signed +distributions to PyPI. Distlib is a library which implements +low-level functions that relate to packaging and publication of +Python software, including uploading distributions to PyPI. -__ https://docs.python.org/2/distutils/index.html#distutils-index +__ https://packaging.python.org/key_projects/#distlib Automated Signing Solution @@ -410,7 +415,7 @@ management is preferred (e.g., ssh-copy-id). The `repository`__ and `developer`__ TUF tools currently support all of the recommendations previously mentioned, except for the automated signing -solution, which SHOULD be added to Distutils, Twine, and other third-party +solution, which SHOULD be added to Distlib, Twine, and other third-party signing tools. The automated signing solution calls available repository tool functions to sign metadata and to generate the cryptographic key files.