I’m hoping to get some eyeballs on a pip (draft) PR of mine: It implements PEP-458 in pip.
In short pypi.org will soon provide signed metadata that clients can use to verify that the package they download is what was originally uploaded to pypi.org and that the supply chain has not been tampered with. In the future the same infrastructure can be used to verify developer signatures as well.
- high level review (I’m not a pip expert so may have integrated at wrong levels of abstraction)
- discussion on a couple of design aspects
2.1 progress indication: currently disabled
2.2 control over downloads: TUF (a new vendored dependency) controls download details
2.3 threads: multithreading (in
pip list -o/-u) is disabled in the PR
I’ve tried to explain much more in the PR cover letter. I’m hoping to get some discussion going on the PR but am happy to talk here as well.
I’m hoping the feature can be tested soon, but as of now a test server is not yet available.