theupdateframework / pep-on-pypi-with-tuf Goto Github PK
View Code? Open in Web Editor NEWPEP 458: Securing the Link from PyPI to the End User
License: The Unlicense
PEP 458: Securing the Link from PyPI to the End User
License: The Unlicense
Use cases like the one in this PEP (where a consistent view of a changing filesystem are needed) are exactly why storage technologies like "LVM snapshots" exist: http://www.tldp.org/HOWTO/LVM-HOWTO/snapshots_backup.html
This means the PEP needs to make a much stronger case for why it proposes to reinvent snapshot creation at the web application layer rather than simply requiring the use of an appropriate storage layer (like LVM) that supports fast and cheap volume snapshots.
We should close and mark this repo as a read-only archive, no?
Currently, we recommend that hash collisions can somehow be automatically handled. Since cryptographic hash algorithms should make hash collisions extremely unlikely, it is safer and acceptable to simply require the server to report an error.
Currently, a repository re-signed with the same key duplicates the key in root.txt & targets.txt. The tools should detect if the key is the same when signing and simply update the file instead of adding the duplicate key.
In this section:
"Although the merge cost may be amortized over time, this scheme is not conceptually si"
..."si" what, man? Don't leave us hanging there!
As @JustinCappos observed, the unclaimed role keys may as well be offline (but the keys to the delegated unclaimed bin roles will still be online). There is no real security difference (because attackers who compromise the repository can still mess with the delegated unclaimed bin roles), but there is no harm in keeping it offline (at least the attackers cannot add, update or remove a delegated unclaimed bin role).
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.