diff --git a/pep-0480.txt b/pep-0480.txt index 3a168755775..d5252f9a494 100644 --- a/pep-0480.txt +++ b/pep-0480.txt @@ -4,10 +4,10 @@ Version: $Revision$ Last-Modified: $Date$ Author: Trishank Karthik Kuppusamy , Vladimir Diaz , - Justin Cappos -BDFL-Delegate: Richard Jones -Discussions-To: DistUtils mailing list -Status: Deferred + Justin Cappos , Marina Moore +BDFL-Delegate: Donald Stufft +Discussions-To: Packaging category on Python Discourse +Status: Draft Type: Standards Track Content-Type: text/x-rst Requires: 458 @@ -56,8 +56,12 @@ distributions. PEP Status ========== -Due to the amount of work required to implement this PEP, it is deferred until -appropriate funding can be secured to implement the PEP. +The community discussed this PEP from 2014 to 2018. Due to the amount +of work required to implement this PEP, discussion was deferred until +after approval for the precursor step in PEP 458. As of mid-2020 PEP +458 is approved and implementation is in progress, and the PEP authors +aim to gain approval so they can secure appropriate funding for +implementation. Rationale @@ -341,14 +345,11 @@ distributions, and prevents MITM attacks on usernames and passwords. __ https://github.com/pypa/twine -Distutils ---------- +Build backends +-------------- -`Distutils`__ MAY be modified to sign metadata and to upload signed distributions -to PyPI. Distutils comes packaged with CPython and is the most widely used -tool for uploading distributions to PyPI. - -__ https://docs.python.org/2/distutils/index.html#distutils-index +Build backends MAY be modified to sign metadata and to upload signed +distributions to PyPI. Automated Signing Solution @@ -410,7 +411,7 @@ management is preferred (e.g., ssh-copy-id). The `repository`__ and `developer`__ TUF tools currently support all of the recommendations previously mentioned, except for the automated signing -solution, which SHOULD be added to Distutils, Twine, and other third-party +solution, which SHOULD be added to Distlib, Twine, and other third-party signing tools. The automated signing solution calls available repository tool functions to sign metadata and to generate the cryptographic key files. @@ -894,9 +895,10 @@ conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. -We thank Nick Coghlan, Daniel Holth, Donald Stufft, and the distutils-sig -community in general for helping us to think about how to usably and -efficiently integrate TUF with PyPI. +We thank Nick Coghlan, Daniel Holth, Donald Stufft, Sumana +Harihareswara, and the distutils-sig community in general for helping +us to think about how to usably and efficiently integrate TUF with +PyPI. Roger Dingledine, Sebastian Hahn, Nick Mathewson, Martin Peck and Justin Samuel helped us to design TUF from its predecessor Thandy of the Tor project.