PEP 458: update dead or outdated references #1178
Conversation
Uses static last stable version tag (v0.11.1), instead of dynamic branch name (develop), when pointing to documents in the TUF repository. This makes them more prone to become outdated but less prone to 404. Note, that the two referenced tuf publications are also available under more permanent, albeit paywalled DOIs: [2] https://doi.org/10.1145/1866307.1866315 [13] https://doi.org/10.1145/1455770.1455841
|
Hello, and thanks for your contribution! I'm a bot set up to make sure that the project can legally accept this contribution by verifying everyone involved has signed the PSF contributor agreement (CLA). CLA MissingOur records indicate the following people have not signed the CLA: For legal reasons we need all the people listed to sign the CLA before we can look at your contribution. Please follow the steps outlined in the CPython devguide to rectify this issue. If you have recently signed the CLA, please wait at least one business day You can check yourself to see if the CLA has been received. Thanks again for the contribution, we look forward to reviewing it! |
| @@ -942,7 +942,7 @@ in this section: | |||
| distributions and manage keys is expected to render key signing an unused | |||
| feature. | |||
|
|
|||
| __ https://minilock.io/ | |||
| __ https://github.com/kaepora/miniLock | |||
There was a problem hiding this comment.
I have only corrected the link here (seems like minilock.io has a new owner). However, I suggest to update the entire reference to something like YubiKey, or another contemporary alternative. If desired I can do it as part of this PR.
| .. [23] https://www.openssl.org/ | ||
| .. [24] https://pypi.python.org/pypi/pycrypto | ||
| .. [24] https://github.com/pyca/cryptography |
There was a problem hiding this comment.
This used to point to pycrypto, which is not used anymore in the TUF reference implementation. Instead it uses cryptography and PyNaCl, both optionally, and ed25519 for a minimal pure Python installation. On a side note, the TUF team is also working on support for OpenPGP with gnupg (#174), HSM signing with PyKCS11 (#170), and SPHINCS + with PySPX (#169).
Let me know if any of this information should be incorporated in the PEP.
| @@ -1044,7 +1044,7 @@ References | |||
| ========== | |||
|
|
|||
| .. [1] https://pypi.python.org | |||
| .. [2] https://isis.poly.edu/~jcappos/papers/samuel_tuf_ccs_2010.pdf | |||
| .. [2] https://theupdateframework.github.io/papers/survivable-key-compromise-ccs2010.pdf | |||
| .. [3] http://www.pip-installer.org | |||
| .. [4] https://wiki.python.org/moin/WikiAttack2013 | |||
| .. [5] https://github.com/theupdateframework/pip/wiki/Attacks-on-software-repositories | |||
There was a problem hiding this comment.
FYI, I left this link. although the wiki page it points to doesn't list any attacks after 2016. I did, however, update that wiki page to direct the reader to a broader and more up to date collection of supply chain compromises.
| @@ -942,7 +942,7 @@ in this section: | |||
| distributions and manage keys is expected to render key signing an unused | |||
| feature. | |||
|
|
|||
| __ https://minilock.io/ | |||
| __ https://github.com/kaepora/miniLock | |||
PEP 1 does not seem to mention such a header. |
Uses static last stable version tag (v0.11.1), instead of dynamic branch name (develop), when pointing to documents in the TUF repository. This makes them more prone to become outdated but less prone to 404.
Note, that the two referenced tuf publications are also available under more permanent, albeit paywalled DOIs:
[2] https://doi.org/10.1145/1866307.1866315
[13] https://doi.org/10.1145/1455770.1455841