oups, forgot to cc to the list<br><br><div class="gmail_quote">On Fri, Mar 21, 2008 at 12:28 AM, Tarek Ziadé <<a href="mailto:ziade.tarek@gmail.com">ziade.tarek@gmail.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br><br><div class="gmail_quote"><div class="Ih2E3d">On Thu, Mar 20, 2008 at 9:42 PM, Jeff Rush <<a href="mailto:jeff@taupro.com" target="_blank">jeff@taupro.com</a>> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div>Tarek Ziadé wrote:<br>
><br>
> On Thu, Mar 20, 2008 at 12:17 AM, Jeff Rush <<a href="mailto:jeff@taupro.com" target="_blank">jeff@taupro.com</a><br>
><br>
</div>> - move to https/ssl<br>
<div>><br>
> There are a few problems in this area, also related to indexing<br>
> we need to work out imho:<br>
><br>
> When a package defines a https://... link into the url meta-data, the<br>
> link will<br>
> be added in the Simple index besides other links. For instance, people<br>
> that uses sourceforge can have such urls. Even if the package egg or tarball<br>
> is available at PyPI, the home page url will appear at #1 on the index page.<br>
><br>
> This will make tools like easy_install read this link before it reaches<br>
> the egg/tarball.<br>
><br>
> This is OK as long as the users behind the firewalls are allowed to call<br>
> htppS...<br>
<br>
</div>It's not clear to me the correct behavior - help me understand:<br>
<br>
1. Are there firewall policies that block *all* https access? I've<br>
only encountered more fine-grained firewalls because, to me, use<br>
of https for _some_ sites is a necessary and expected behavior.</blockquote></div><div><br>That happened last week for a developer on one project at a customer<br>place. I am not saying it is the right behavior, but that's how I found the problem.<br>
<br>Now maybe that such a firewall is too restrictive anyway to allow the <br>usage of a web based repository such as PyPI<br><br></div><div class="Ih2E3d"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
2. If we moved PyPI to serve exclusively over https, for integrity<br>
reasons, would this have a major negative impact?<br>
</blockquote></div><div><br>Related to 1. I guess it is a choice. As long as it is easy to <br>created mirrors of PyPI. That's what we do in some projects.<br><br>Now for https, like Dave says, we cannot create at this time<br>
a robust auth handler for it, and our PyPI implementation uses http auth.<br><br>So if this patch is pushed it is very cool :)<br><br></div><div class="Ih2E3d"><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<br>
3. Would it be better to sort the URLs, to place the https ones at<br>
the end, a and allow a fetch error to occur, or provide a<br>
.distutils config option to just quietly skip https sites?</blockquote></div><div><br>I think ordering the URLs and puting the *.egg, *.tar.gz, etc..<br>at first would be good yes, as easy_install fetches them in order.<br>
<br>It will also make the system quicker I think, if easy_install<br>would not fetch external home URLs when the right packages<br>are available on the page.<br><br>Maybe those could be dropped when the dists are uploaded<br>
That's what I am doing on the PyPI server I work on.<br><br></div><div class="Ih2E3d"><div> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
4. Is it not a problem that, when checking for newer versions,<br>
setuptools would be unable to access a newer version on an<br>
https site and would have to settle for an older version<br>
on a non-https site, leading to stale packages?<br>
</blockquote></div><div><br>Good point. But I guess that as long as the system allows<br>external urls, we can't prevent from such failures.<br><br>We have some mirrors for that as a matter of fact, <br>
not to rely on third party servers that are sometimes down<br>or moving things around.<br><br><br> <br></div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<font color="#888888"><br>
-Jeff<br>
</font></blockquote></div><br><br></blockquote></div>