On 13 Nov 2015, at 12:55, Florian Schulze wrote:
We should rename "pypi_whitelist" into "mirror_whitelist" or something like that.
I was thinking a bit more about this and there are two different kinds of whitelisting that make sense IMO. The current on is whitelisting on a regular index for packages that have custom uploads to prevent security issues for private packages. I think with general mirroring the name should be made better. Maybe "inherited_mirror_whitelist"? There might also be use cases for blocking all inherited uploads ("inherited_whitelist")? The second one would be a whitelist on a mirror index. That way one can block all packages from being mirrored, except the whitelisted ones. The default here would be "*". This would enable preventing download of stuff you don't want. For all the whitelists we might want to support version specifiers. That way we can support indexes that provide a "known good set" for example. Thoughts? For now my main concern is to get the naming right, so we don't have to change it later on. The implementation for these different kind of whitelists can come later. Regards, Florian Schulze