I 100% agree with Guido here. Even as an insider of the packaging world, I can make little sense of this PEP. I just skimmed the current version of the PEP and was confronted with a wall of text covering security related issues, that I don’t really follow. And yet, from @sumanah’s comment, it sounds like we might have people lining up to implement this.
In principle, that’s fine - I’m not a security specialist and I’m happy to leave the security decisions to those who are - but I do have some fundamental questions here:
- As a package author, will this affect me? Will I be expected to generate/provide some sort of new “trust keys” when I publish my packages?
- As a member of a team working on a package (pip) will the answer to the above change if my project wants to “opt in” to something? Sorry - that question is confused (because I am). Basically, though, if the answer to (1) is “nothing new is required, it’s optional”, how easy will it be for me to conform if a project I work on decides to “opt in”? I can happily decide for my own projects that this is all too confusing and opt out, but who will clarify what I need to do if I work on a project that opts in?
I think what I’m saying is that the PEP needs a high level summary of how it affects various user groups:
- Package consumers
- Package authors
- Members of teams of package authors, who may not agree with the “team view”
(also people like PyPI admins, but I consider them to be the target audience for the rest of the PEP!) If I missed such a summary, then it needs to be more prominent