TL;DR: PEP 458 and its implementation in Warehouse have been streamlined and described in a succinct design document. In order to further simplify Warehouse implementation, focus has shifted from a deep integration within Warehouse, to the development of an autonomous repository service (RSTUF), which can be interfaced by Warehouse. A rough ETA for this is the end of February.
—
Hello again from the PEP 458 implementers! In our initial post on this thread we have reported our ongoing integration efforts of TUF into Warehouse. These efforts have produced a succinct but comprehensive design document and streamlined the existing PR:
- The design document provides clear implementation instructions that can be easily validated against PEP 458 and the TUF specification by people familiar with these resources, and also be used by adopters to validate the implementation correctness without in-depth background knowledge. Detailing the routines prescribed by the PEP allowed adopting a few major simplifications, such as requiring only one instead of two offline roles and re-using a single online key for all other roles.
- The initial PR was streamlined to reduce implementation LOC count by a half. The simplifications have been upstreamed.
Despite complexity reduction on multiple levels, a deep integration of PEP 458 into Warehouse remains a drastic change to the Warehouse code base, which poses a challenge for Warehouse maintainers, both in terms of initial review and in ongoing maintenance effort. This is why we have shifted our focus to the implementation of a stand-alone Repository Service for TUF (RSTUF).
RSTUF is a collection of services to deploy a scalable and distributed TUF repository, as described in, but not limited to, the PEP 458 setup. It consists of three main components:
- A management CLI, which can be used to bootstrap TUFs root of trust in an offline key ceremony.
- A REST API, which can be interfaced by a content repository such as PyPI, e.g. to register newly added packages.
- A worker service, which listens on events, such as package additions, and maintains a consistent TUF metadata repository in a scalable way.
Our next steps will focus on a stable release of RSTUF (see roadmap) followed by a PR for Warehouse development environment (as current PR), which uses RSTUF to implement PEP 458. A rough ETA for this is the end of February.
Stay tuned!
Kairo Franciso de Araujo
Joshua Lock
Lukas Pühringer