@@ -361,23 +361,25 @@ __ https://github.com/theupdateframework/tuf/blob/v0.11.1/docs/TUTORIAL.md#how-t
361361How to Establish Initial Trust in the PyPI Root Keys
362362----------------------------------------------------
363363
364- Package managers like pip need to ship a file called "root.json" with the
364+ Package managers like pip MUST ship the *root* metadata file with the
365365installation files that users initially download. This includes information
366- about the keys trusted for certain roles, as well as the root keys themselves.
367- Any new version of "root.json" that clients may download are verified against
368- the root keys that client's initially trust. If a root key is compromised, but
369- a threshold of keys are still secured, the PyPI administrator MUST push a new
370- release that revokes trust in the compromised keys. If a threshold of root keys
371- are compromised, then "root.json" should be updated out-of-band, however the
372- threshold should be chosen so that this is extremely unlikely. The TUF client
373- library does not require manual intervention if root keys are revoked or added:
374- the update process handles the cases where "root.json" has changed.
375-
376- To bundle the software, "root.json" MUST be included in the version of pip
377- shipped with CPython (via ensurepip). The TUF client library then loads the
378- root metadata and downloads the rest of the roles, including updating
379- "root.json" if it has changed. An `outline of the update process`__ is
380- available.
366+ about the keys trusted for all top-level roles (including the root keys themselves).
367+ Any new version of *root* metadata that package managers may download are verified
368+ against the root keys that the package managers initially trust. If a root key is
369+ compromised, but a threshold of keys are still secured, the PyPI administrator MUST
370+ push new *root* metadata that revokes trust in the compromised keys. If a threshold
371+ of root keys are compromised, then the *root* metadata MUST be updated out-of-band.
372+ (However, the threshold of root keys should be chosen so that this event is extremely
373+ unlikely.) Package managers do not necessarily need to be updated immediately if root
374+ keys are revoked or added between new releases of the package manager: the update process
375+ automatically handles the cases where a threshold of previous *root* keys sign for new
376+ *root* keys (assuming no backwards-incompatibility in the TUF specification used).
377+
378+ Thus, to repeat, the latest good copy of *root* metadata MUST be included
379+ in any new version of pip shipped with CPython (via ensurepip). The TUF client library
380+ inside the package manager then loads the *root* metadata and downloads the rest of
381+ the roles, including updating the *root* metadata if it has changed.
382+ An `outline of the update process`__ is available.
381383
382384__ https://github.com/theupdateframework/specification/blob/master/tuf-spec.md#5-detailed-workflows.
383385
0 commit comments