warehouse icon indicating copy to clipboard operation
warehouse copied to clipboard

Published 20 hours ago verified publisher icon pypi

Roadmap for PEP 458

Open di opened this issue 3 years ago • 7 comments

This is a meta-issue to document the roadmap for PyPI's support for PEP 458. This top-level comment will be updated as the roadmap progresses. Comments on this issue should be limited to a discussion of this roadmap only, e.g. whether there are steps missing, discovered to be necessary or resolved.

Roadmap

  • [x] PEP 458 is accepted

    • [x] https://github.com/python/peps/pull/931
    • [x] https://github.com/python/peps/pull/1178
    • [x] https://github.com/python/peps/pull/1203
    • [x] https://github.com/python/peps/pull/1247
    • [x] https://github.com/python/peps/pull/1253
    • [x] https://github.com/python/peps/pull/1261
    • [x] https://github.com/python/peps/pull/1268
    • [x] https://github.com/python/peps/pull/1269
    • [x] https://github.com/python/peps/pull/1270
    • [x] https://github.com/python/peps/pull/1280
    • [x] https://github.com/python/peps/pull/1281
    • [x] https://github.com/python/peps/pull/1284
    • [x] https://github.com/python/peps/pull/1287
    • [x] https://github.com/python/peps/pull/1295
    • [x] https://github.com/python/peps/pull/1306

  • [x] Key generation and signing ceremony for PyPI

    • [x] Runbook: https://github.com/psf/psf-tuf-runbook
    • [x] Announcement: https://pyfound.blogspot.com/2020/10/key-generation-and-signing-ceremony-for.html
    • [x] Recording: https://www.youtube.com/watch?v=jjAq7S49eow

  • [x] #8487

    • [x] #8586
    • [ ] Serve hashed simple index pages directly from storage via CDN
    • [ ] Serve simple index metadata

  • [ ] Initial TUF services

    • [ ] https://github.com/pypa/warehouse/pull/8955

  • [x] Updates to python-tuf

    • [x] https://github.com/theupdateframework/python-tuf/issues/1009
      • [x] https://github.com/secure-systems-lab/securesystemslib/pull/232
    • [x] https://github.com/theupdateframework/python-tuf/issues/1009
      • [x] https://github.com/theupdateframework/python-tuf/pull/1024
    • [x] https://github.com/theupdateframework/python-tuf/issues/574
    • [x] https://github.com/theupdateframework/python-tuf/issues/1045
      • [x] https://github.com/theupdateframework/python-tuf/pull/1052
    • [x] https://github.com/theupdateframework/python-tuf/issues/1046
      • [x] https://github.com/theupdateframework/python-tuf/pull/1049
    • [x] https://github.com/theupdateframework/python-tuf/issues/1048
      • [x] https://github.com/theupdateframework/python-tuf/pull/1112
    • [x] https://github.com/theupdateframework/python-tuf/issues/1263
      • [x] https://github.com/secure-systems-lab/securesystemslib/pull/319
      • [x] https://github.com/theupdateframework/python-tuf/pull/1272
    • [x] python-tuf 1.0.0 release: https://github.com/theupdateframework/python-tuf/projects/2

  • [ ] Integrate with python-tuf

    • [ ] Support for bumping snapshots, bin roles, adding targets
      • [ ] #7488
      • [ ] #10870

  • [ ] Populate top-level TUF roles

  • [ ] Bring TUF keys online

    • [ ] HSMs containing the signing keys need to be distributed
    • [ ] Each keyholder needs to use their HSM to sign the top-level TUF targets
    • [ ] Create the online bits?

Downstream issues unblocked once this roadmap is complete:

  • [ ] https://github.com/pypa/pip/issues/8585

This is likely incomplete, cc @ewdurbin @woodruffw @trishankatdatadog @JustinCappos @mnm678 @joshuagl @jku @pradyunsg @brainwane for your input & awareness.

di avatar Feb 01 '22 22:02 di

(Sorry, cc @kairoaraujo as well!)

di avatar Feb 01 '22 22:02 di

#8586 has been merged, next step on our end here is setting up the CDN to serve the hashed pages from storage.

di avatar Feb 02 '22 19:02 di

tuf==1.0.0 has been released: https://pypi.org/project/tuf/1.0.0/

di avatar Feb 22 '22 18:02 di

I may be mistaken, but it looks like movement on PEP 458 has slowed -- what can we do to help get it moving again? Should I be watching https://github.com/jku/repository-playground or helping test #10870 or #8955 or #7488? Thanks!

brainwane avatar Jun 25 '22 02:06 brainwane

Please let me know if I can help.

ofek avatar Jun 25 '22 02:06 ofek

Hi, @brainwane and @ofek. Helping to review and test PR #10870 for the TUF initialization for development would be great. 🙂

kairoaraujo avatar Jun 25 '22 07:06 kairoaraujo

Newer status updates:

  • January 2023, splitting out RSTUF from Warehouse: https://discuss.python.org/t/pep-458-current-status-and-next-steps-feedback-requested/17211/8
  • Living status doc for RSTUF development progress: https://github.com/repository-service-tuf/repository-service-tuf/blob/main/ROADMAP.rst

ncoghlan avatar Sep 10 '24 10:09 ncoghlan