On Thu, Mar 20, 2008 at 9:42 PM, Jeff Rush <
jeff@taupro.com> wrote:
Tarek Ziadé wrote:
>
> On Thu, Mar 20, 2008 at 12:17 AM, Jeff Rush <
jeff@taupro.com
>
>
> There are a few problems in this area, also related to indexing
> we need to work out imho:
>
> When a package defines a https://... link into the url meta-data, the
> link will
> be added in the Simple index besides other links. For instance, people
> that uses sourceforge can have such urls. Even if the package egg or tarball
> is available at PyPI, the home page url will appear at #1 on the index page.
>
> This will make tools like easy_install read this link before it reaches
> the egg/tarball.
>
> This is OK as long as the users behind the firewalls are allowed to call
> htppS...
It's not clear to me the correct behavior - help me understand:
1. Are there firewall policies that block *all* https access? I've
only encountered more fine-grained firewalls because, to me, use
of https for _some_ sites is a necessary and expected behavior.
That happened last week for a developer on one project at a customer
place. I am not saying it is the right behavior, but that's how I found the problem.
Now maybe that such a firewall is too restrictive anyway to allow the
usage of a web based repository such as PyPI
2. If we moved PyPI to serve exclusively over https, for integrity
reasons, would this have a major negative impact?
Related to 1. I guess it is a choice. As long as it is easy to
created mirrors of PyPI. That's what we do in some projects.
Now for https, like Dave says, we cannot create at this time
a robust auth handler for it, and our PyPI implementation uses http auth.
So if this patch is pushed it is very cool :)
3. Would it be better to sort the URLs, to place the https ones at
the end, a and allow a fetch error to occur, or provide a
.distutils config option to just quietly skip https sites?
I think ordering the URLs and puting the *.egg, *.tar.gz, etc..
at first would be good yes, as easy_install fetches them in order.
It will also make the system quicker I think, if easy_install
would not fetch external home URLs when the right packages
are available on the page.
Maybe those could be dropped when the dists are uploaded
That's what I am doing on the PyPI server I work on.
4. Is it not a problem that, when checking for newer versions,
setuptools would be unable to access a newer version on an
https site and would have to settle for an older version
on a non-https site, leading to stale packages?
Good point. But I guess that as long as the system allows
external urls, we can't prevent from such failures.
We have some mirrors for that as a matter of fact,
not to rely on third party servers that are sometimes down
or moving things around.
-Jeff