I still think this statement is vastly overstating what the PEP addresses.
- legitimately published yet malicious packages are not in any way prevented or identified by this proposal
- a compromise of PyPI’s storage system is the only compromise that would be protected against, assuming none of the keys were kept in compromised storage
- there’s no recovery from a compromise of the root key
- recovery implies restoration, as Paul mentioned, but all we can really do is fail validation for anything signed by a key that was never properly endorsed or that was (presumably compromised and) used after its expiration
- (I assume that there’s no attack whereby the attacker forces a key rotation and resigning of a package that was injected without correctly signed metadata, but I haven’t worked this one through)
MITM attacks and client-side redirection attacks seem to be the primary vector being protected against. They should at least get a mention.
I’m not aware of anyone at Microsoft using TUF in production. Could you email me at steve(dot)dower(at)microsoft.com with either the team or a person you know who is involved? My understanding was that TUF does not meet our compliance requirements, so I’m interested to see how they made it work.