
On Sun, Nov 15, 2015 at 15:00 +0100, Florian Schulze wrote:
On 13 Nov 2015, at 12:55, Florian Schulze wrote:
We should rename "pypi_whitelist" into "mirror_whitelist" or something like that.
I was thinking a bit more about this and there are two different kinds of whitelisting that make sense IMO.
The current on is whitelisting on a regular index for packages that have custom uploads to prevent security issues for private packages. I think with general mirroring the name should be made better. Maybe "inherited_mirror_whitelist"? There might also be use cases for blocking all inherited uploads ("inherited_whitelist")?
The second one would be a whitelist on a mirror index. That way one can block all packages from being mirrored, except the whitelisted ones. The default here would be "*". This would enable preventing download of stuff you don't want.
For all the whitelists we might want to support version specifiers. That way we can support indexes that provide a "known good set" for example.
Thoughts? For now my main concern is to get the naming right, so we don't have to change it later on. The implementation for these different kind of whitelists can come later.
In general i think we should not dive into more whitelisting mechanics but rather move towards having a good way to bulk-copy releases from one (mirror) index to another (private one). Therefore i think we should just rename pypi_whitelist to mirror_whitelist and not introduce version-specifiers or a mirror-specific whitelist option. holger
Regards, Florian Schulze
-- You received this message because you are subscribed to the Google Groups "devpi-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to devpi-dev+...@googlegroups.com. To post to this group, send email to devp...@googlegroups.com. Visit this group at http://groups.google.com/group/devpi-dev. For more options, visit https://groups.google.com/d/optout.
-- about me: http://holgerkrekel.net/about-me/ contracting: http://merlinux.eu