PEP 458: fix technical choices and remove ambiguity #1203
Conversation
Co-Authored-By: lukpueh <[email protected]>
Co-Authored-By: lukpueh <[email protected]>
Add Yubikey example and link
consistent snapshots used to require a hash digest prefix in filenames for metadata and target files, now only target files add a hash digest prefix and metadata uses a version number.
The link used to point to outdated documentation in the reference implementation. This change updates the link to point to the up-to-date client workflow in the specification.
Update link to client updater workflow
Update Consistent Snapshots section
…ta-scalability Update metadata scalability
Relative or absolute filenames
…-keys Discuss how to manage online and offline keys
Co-Authored-By: Trishank K Kuppusamy <[email protected]>
Co-Authored-By: Trishank K Kuppusamy <[email protected]>
Co-Authored-By: Joshua Lock <[email protected]>
Co-Authored-By: lukpueh <[email protected]>
Only use sha 512
Requires updating other captions: - Figure 2 --> Figure 1 - Table 1, 2, 4 --> Table 2, 3, 4 This commit also removes a stray "and".
- Update targets row to say that it signs the targets metadata - Update snapshot row to mention that it only lists targets and targets metadata and why it doesn't list root and timestamp. Co-Authored-By: Trishank Karthik Kuppusamy <[email protected]>
Replace tuf roles overview image with text table
#71 removed sha256 hashes from targets metadata and correctly updated the metadata calculation in the tables, but not in the text. This commit updates the relevant numbers in the text. It further fixes an unrelated wording mistake in the metadata calc section.
Update metadata calc in text after removing sha256
Following discussions with @dstufft and @trishankatdatadog regarding file uploads and simple index generation on PyPI (see #70) this commit once more refines the "producing consistent snapshots" section. It includes the following changes: - Remove the notion of *transaction processes* and instead talk about *uploads*. Background: Transaction processes are only relevant if multiple files of a project release need to be handled in a single transaction, which is not the case on PyPI, where each upload of a distribution file is self-contained. With this change, upload process just place files into a queue, without updating bin-n metadata (as transaction processes would have done in parallel), and all the metadata update/creation work is done by the snapshot process in strictly sequential manner. - Add a paragraph about simple index pages and how their hashes should be included in *bin-n* metadata, and how they need to remain stable if re-generated dynamically.
Co-Authored-By: lukpueh <[email protected]>
… number reset to make it more generic
|
@trishankatdatadog is this ready for re-review? |
Add description of version number scalability
|
Mostly yes, @brainwane. There is one fix that still awaits internal review, i.e. sslab/pep#75, and one concern that is still under discussion, i.e. sslab/pep#68 (see my inline replies to @dstufft's review above for more details). |
Update "Producing Consistent Snapshots"
There was a problem hiding this comment.
Speaking with my PEP Editor hat on.
I feel you all are abusing the PR mechanism here. You shouldn't have the entire discussion in a PR and then expect to land the final PR in one merge. Successive drafts should be merged to the peps repo's master branch quickly, so they can be reviewed by the general public on python.org.
@dstufft If I haven't heard back from anyone before the end of 2019, I'll just land it (probably you can land it yourself too). If you really don't want me to land it but you have nothing else to say, change the PR subject to start with [WIP].
|
I suggest that we merge this PR and then post a note within the PEP 458 Discourse thread to have further discussion there. |
|
Per suggestion by @brainwane, I'll just merge this now. |
Update PEP 458 as per @ewdurbin and @dstufft comments. High-level summary: