Skip to content

Bins Role uses offline keys #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 6 commits into from
Closed

Bins Role uses offline keys #1

wants to merge 6 commits into from

Conversation

mnm678
Copy link
Collaborator

@mnm678 mnm678 commented Oct 4, 2019

Update the image and description so that the bins role uses offline keys

lukpueh
lukpueh requested changes Oct 7, 2019
View reviewed changes
Copy link
Member

@lukpueh lukpueh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The patch itself looks good to me, but there are other places in the document that need to be adopted. Here is one paragraph that's now obsolete:

Each of the "bin" roles SHOULD share the same key as the bins role, due to space efficiency,
and because there is no security advantage to requiring separate keys.

I suggest to grep for all occurrences of "bin" in the text to check for consistency.

@mnm678
Copy link
Collaborator Author

mnm678 commented Oct 8, 2019

@lukpueh I fixed a couple more references to the online bins key. I decided to not change the references that are fixed in #4 to prevent a conflict.

@JustinCappos
Copy link

@lukpueh, when you get a chance, can you re-review and merge if ready?

trishankatdatadog
trishankatdatadog requested changes Oct 9, 2019
View reviewed changes
pep-0458.txt Outdated
@@ -397,8 +398,8 @@ not have any of the keys required to sign for projects. However, it does not
protect projects from attackers who have compromised PyPI, since attackers can
manipulate TUF metadata using the keys stored online.

This PEP proposes that the *bins* role (and its delegated roles) sign for all
PyPI projects with an online key. The *targets* role, which only signs with an
This PEP proposes that the *bins* role's delegated roles sign for all
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This PEP proposes that the *bins* role's delegated roles sign for all
This PEP proposes that the *bin-n* roles roles sign for all

mnm678 and others added 3 commits October 9, 2019 17:08
lukpueh added a commit that referenced this pull request Oct 10, 2019
@lukpueh
Merge pull request #1 from mnm678:bins_offline
4d1e05c
@lukpueh
Copy link
Member

lukpueh commented Oct 10, 2019

Merged into master manually with 4d1e05c after resolving a conflict (4969aed --> b46c4c4).

@lukpueh lukpueh closed this Oct 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lukpueh lukpueh lukpueh requested changes

@trishankatdatadog trishankatdatadog trishankatdatadog requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mnm678 @JustinCappos @lukpueh @trishankatdatadog