Quoting Nick Coghlan <ncoghlan@gmail.com>:
On 6 August 2013 16:09, Christian Theune <ct@gocept.com> wrote:
Hi,
looks like I'm late to the party to figure out that I'm going to be hurt again.
That's why I asked for this to be put through the PEP process: to give it more visibility, and provide more opportunity for people potentially affected to have a chance to comment and offer alternatives. Giving third parties the opportunity to read python.org cookies indefinitely isn't an option.
Define "third party". There are a number of organisations other than the PSF that can read python.org cookies. As Noah explains, it's a matter of trust. Noah chooses to trust Fastly, I choose to trust Christian Theune. We both have then imposed our trust on the community. In any case, I consider the cookie issue a red herring. Mirror operators could only steal cookies if users actually pointed their web browsers to the mirrors. They typically don't, since they use setuptools or pip, which doesn't even have access to the cookies. And, if a mirror operator actually does request cookies, there is a high risk in being caught in doing so. If that happens, the mirror operator will not only lose the mirror, but also lose community trust. Regards, Martin