From e2b198bf251d14c6e77d83ad391590a9e3665122 Mon Sep 17 00:00:00 2001 From: Sumana Harihareswara Date: Mon, 24 Aug 2020 15:00:02 -0400 Subject: [PATCH] PEP 480: Fix status, author, discuss, reference Move from Deferred to Draft status, update discussion venue and author list, and fix an obsolete reference to Distutils. Signed-off-by: Sumana Harihareswara --- pep-0480.txt | 33 +++++++++++++++++++-------------- 1 file changed, 19 insertions(+), 14 deletions(-) diff --git a/pep-0480.txt b/pep-0480.txt index 8296ed8684d2..63c32aecf14f 100644 --- a/pep-0480.txt +++ b/pep-0480.txt @@ -4,10 +4,10 @@ Version: $Revision$ Last-Modified: $Date$ Author: Trishank Karthik Kuppusamy , Vladimir Diaz , - Justin Cappos -BDFL-Delegate: Richard Jones -Discussions-To: DistUtils mailing list -Status: Deferred + Justin Cappos , Marina Moore +BDFL-Delegate: Paul Moore +Discussions-To: Packaging category on Python Discourse +Status: Draft Type: Standards Track Content-Type: text/x-rst Requires: 458 @@ -56,8 +56,12 @@ distributions. PEP Status ========== -Due to the amount of work required to implement this PEP, it is deferred until -appropriate funding can be secured to implement the PEP. +The community discussed this PEP from 2014 to 2018. Due to the amount +of work required to implement this PEP, discussion was deferred until +after approval for the precursor step in PEP 458. As of mid-2020 PEP +458 is approved and implementation is in progress, and the PEP authors +aim to gain approval so they can secure appropriate funding for +implementation. Rationale @@ -276,7 +280,7 @@ Files, and Key Management) cover the cryptographic components of the developer release process. That is, which key type PyPI supports, how keys may be stored, and how keys may be generated. The two subsections that follow the first three discuss the PyPI modules that SHOULD be modified to support TUF -metadata. For example, Twine and Distutils are two projects that SHOULD be +metadata. For example, Twine and Distlib are two projects that SHOULD be modified. Finally, the last subsection goes over the automated key management and signing solution that is RECOMMENDED for the signing tools. @@ -341,14 +345,15 @@ distributions, and prevents MITM attacks on usernames and passwords. __ https://github.com/pypa/twine -Distutils ---------- +Distlib +------- -`Distutils`__ MAY be modified to sign metadata and to upload signed distributions -to PyPI. Distutils comes packaged with CPython and is the most widely-used -tool for uploading distributions to PyPI. +`Distlib`__ MAY be modified to sign metadata and to upload signed +distributions to PyPI. Distlib is a library which implements +low-level functions that relate to packaging and publication of +Python software, including uploading distributions to PyPI. -__ https://docs.python.org/2/distutils/index.html#distutils-index +__ https://packaging.python.org/key_projects/#distlib Automated Signing Solution @@ -410,7 +415,7 @@ management is preferred (e.g., ssh-copy-id). The `repository`__ and `developer`__ TUF tools currently support all of the recommendations previously mentioned, except for the automated signing -solution, which SHOULD be added to Distutils, Twine, and other third-party +solution, which SHOULD be added to Distlib, Twine, and other third-party signing tools. The automated signing solution calls available repository tool functions to sign metadata and to generate the cryptographic key files.