Skip to content

/ peps

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PEP 480: Fix status, author, discuss, reference #1693

Open
wants to merge 2 commits into
base: master
from
Open

PEP 480: Fix status, author, discuss, reference #1693

wants to merge 2 commits into from
+18 −13

Conversation

@brainwane
Copy link
Contributor

@brainwane brainwane commented Oct 27, 2020

Move from Deferred to Draft status, update discussion venue and author list, and fix an obsolete reference to Distutils.

Signed-off-by: Sumana Harihareswara sh@changeset.nyc
@brainwane
PEP 480: Fix status, author, discuss, reference
Loading status checks…
e2b198b 
Move from Deferred to Draft status, update discussion venue and author
list, and fix an obsolete reference to Distutils.

Signed-off-by: Sumana Harihareswara <sh@changeset.nyc>
@brainwane brainwane force-pushed the brainwane:480-updates branch from af89d30 to e2b198b Oct 27, 2020
@brainwane
Copy link
Contributor Author

@brainwane brainwane commented Oct 27, 2020
edited

Followup to #1681 to be reviewed by @mnm678 @trishankatdatadog @pfmoore and ideally @ncoghlan.

Also, the bit about PyPI users registering projects prior to uploading

peps/pep-0480.txt

Lines 380 to 395 in e2b198b

The following outlines an automated signing solution that a new developer MAY
follow to upload a distribution to PyPI:
1. Register a PyPI project.
2. Enter a secondary password (independent of the PyPI user account password).
3. Optional: Add a new identity to the developer's PyPI user account from a
second machine (after a password prompt).
4. Upload project.
Step 1 is the normal procedure followed by developers to `register a PyPI
project`__.
__ https://pypi.python.org/pypi?:action=register_form
Step 2 generates an encrypted key file (private), uploads an Ed25519 public key
to PyPI, and signs the TUF metadata that is generated for the distribution.

is now obsolete and needs to be updated before we can re-start deliberations on this PEP.
@trishankatdatadog
trishankatdatadog approved these changes Oct 27, 2020
View changes
@mnm678
mnm678 approved these changes Oct 28, 2020
View changes
@brettcannon brettcannon requested a review from pfmoore Oct 28, 2020
@pfmoore
pfmoore requested changes Oct 28, 2020
View changes
pep-0480.txt Outdated Show resolved Hide resolved
pep-0480.txt Outdated Show resolved Hide resolved
pep-0480.txt Outdated Show resolved Hide resolved
@brainwane @pfmoore
PEP 480: Fix author and tools references
Loading status checks…
c028958 
Co-Authored-By: Paul Moore <p.f.moore@gmail.com>
@pfmoore pfmoore requested a review from dstufft Oct 28, 2020
@brainwane
Copy link
Contributor Author

@brainwane brainwane commented Oct 28, 2020

Also, the bit about PyPI users registering projects prior to uploading

peps/pep-0480.txt

Lines 380 to 395 in e2b198b

The following outlines an automated signing solution that a new developer MAY
follow to upload a distribution to PyPI:
1. Register a PyPI project.
2. Enter a secondary password (independent of the PyPI user account password).
3. Optional: Add a new identity to the developer's PyPI user account from a
second machine (after a password prompt).
4. Upload project.
Step 1 is the normal procedure followed by developers to `register a PyPI
project`__.
__ https://pypi.python.org/pypi?:action=register_form
Step 2 generates an encrypted key file (private), uploads an Ed25519 public key
to PyPI, and signs the TUF metadata that is generated for the distribution.

is now obsolete and needs to be updated before we can re-start deliberations on this PEP.

@mnm678 if you want you could do that as a separate PR, or you could make a fresh review with a suggested replacement and I'll commit it into this PR.
@brainwane
Copy link
Contributor Author

@brainwane brainwane commented Nov 3, 2020

(Further discussion on The Update Framework's mailing list, in case anyone is curious.)
@mnm678 mnm678 mentioned this pull request Nov 10, 2020
Open
@brainwane
Copy link
Contributor Author

@brainwane brainwane commented Jan 28, 2021

@pfmoore @dstufft could this get a fresh review so we can update the authors? Thanks!
@pfmoore
pfmoore requested changes Jan 28, 2021
View changes
pep-0480.txt
`Setuptools`__ MAY be modified to sign metadata and to upload signed
distributions to PyPI. Setuptools is a library which implements
low-level functions that relate to packaging and publication of
Python software.

This comment has been minimized.

Sign in to view
@pfmoore

pfmoore Jan 28, 2021
Member

Given that this is no longer referencing distutils (which had a privileged position as being in the stdlib) would it be more reasonable to talk about "build backends" in general here? In particular, setuptools is not a "library which implements low-level functions" - it's a build backend like many others, and whereas other backends could reasonably depend on distutils for signing functions, they would not be likely to want a dependency on setuptools.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pfmoore pfmoore

@mnm678 mnm678

@trishankatdatadog trishankatdatadog

@dstufft dstufft

Assignees
No one assigned
Labels
CLA signed
Projects
None yet
Milestone
No milestone
Linked issues

Successfully merging this pull request may close these issues.

None yet

5 participants
@brainwane @pfmoore @mnm678 @trishankatdatadog @the-knights-who-say-ni