PMXBOT Log file Viewer

Help | Karma | Search:

#pypa-dev logs for Thursday the 12th of September, 2019

(Back to #pypa-dev overview) (Back to channel listing) (Animate logs)
[17:54:29] <sumanah> reminder for those who don't look at (for instance) distutils-sig: PSF has published a Request for Information seeking software developers to add these features to Warehouse
[17:54:30] <sumanah> Verifiable cryptographic signing of artifacts (PEP 458/TUF or similar)
[17:54:30] <sumanah> Technical infrastructure and methods for automated detection of malicious package uploads
[17:55:05] <sumanah> Some potential contractors & other experts are currently discussing implementation & related questions in https://discuss.python.org/c/python-software-foundation/pypi-q4-rfi
[17:55:19] <sumanah> especially: What methods should we implement to detect malicious content? and: PEPs 458 and 480 offer different levels of security; which (if either) should we implement? Which one has more appropriate operational efficacy? Should we use TUF (The Update Framework) or another approach?
[19:24:43] <tos9> sumanah: maybe that's the kind of message that should go to #pypa too?
[19:25:13] <tos9> Possibly even some total end users have opinions