PEP 458: Secure PyPI downloads with package signing

sumanah · December 2, 2019, 10:26pm

PEP 458 is ready for community review and – per these RFI threads and this Discourse discussion – the plan is for contractors to start work on PyPI this month (on implementing the foundations for cryptographic signing (and malware detection, which is not relevant to this PEP)). @EWDurbin will be managing that.

Topic		Replies	Views
RFC: improving pip security with package signing (PEP-458) Packaging	3	922	January 14, 2021
PyPI security work: multifactor auth progress & help needed Packaging	65	26320	September 23, 2022
PEP 480: Surviving a Compromise of PyPI: End-to-end signing of packages PEPs	6	2004	May 17, 2022
Interoperability concerns PyPI Q4 RFI	2	1007	September 19, 2019
PEP 458 current status and next steps (feedback requested) Packaging	7	1264	January 23, 2023

PEP 458: Secure PyPI downloads with package signing

Related Topics