PEP464 - Removal of the PyPI Mirror Authenticity API
Hello! I’d like to propose PEP464, the removal of the PyPI Mirror Authenticity API which was originally described in PEP381. The text of the PEP is below, or it can be viewed online at https://python.org/dev/peps/pep-0464/ PEP: 464 Title: Removal of the PyPI Mirror Authenticity API Version: $Revision$ Last-Modified: $Date$ Author: Donald Stufft <donald@stufft.io> BDFL-Delegate: Richard Jones <richard@python.org> Discussions-To: distutils-sig@python.org Status: Draft Type: Process Content-Type: text/x-rst Created: 02-Mar-2014 Post-History: 03-Mar-2014 Replaces: 381 Abstract ======== This PEP proposes the deprecation and removal of the PyPI Mirror Authenticity API, this includes the /serverkey URL and all of the URLs under /serversig. Rationale ========= The PyPI mirroring infrastructure (defined in PEP 381) provides a means to mirror the content of PyPI used by the automatic installers, and as a component of that, it provides a method for verifying the authenticity of the mirrored content. This PEP proposal the removal of this API due to: * No known implementations that utilize this API are known, this includes `pip <http://www.pip-installer.org/en/latest/>`_ and `setuptools <http://pythonhosted.org//setuptools/>`_. * Because this API uses DSA it is vulnerable to leaking the private key if there is *any* bias in the random nonce. * This API solves one small corner of the trust problem, however the problem itself is much larger and it would be better to have a fully fledged system, such as `The Update Framework <https://python.org/dev/peps/pep-0458/>`_, instead. Due to the issues it has and the lack of use it is the opinion of this PEP that it does not provide any practical benefit to justify the additional complexity. Plan for Deprecation & Removal ============================== Immediately upon the acceptance of this PEP the Mirror Authenticity API will be considered deprecated and mirroring agents and installation tools should stop accessing it. Instead of actually removing it from the current code base (PyPI 1.0) the current work to replace PyPI 1.0 with a new code base (PyPI 2.0) will simply not implement this API. This would cause the API to be "removed" when the switch from 1.0 to 2.0 occurs. If PyPI 2.0 has not been deployed in place of PyPI 1.0 by Sept 01 2014 then this PEP will be implemented in the PyPI 1.0 code base instead (by removing the associated code). No changes will be required in the installers, however PEP 381 compliant mirroring clients, such as `bandersnatch <https://pypi.python.org/pypi/bandersnatch/>`_ and `pep381client <https://pypi.python.org/pypi/pep381client/>`_ will need to be updated to no longer attempt to mirror the /serversig URLs. Copyright ========= This document has been placed in the public domain. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Just a ping on this :) I’m assuming nobody actually cares because it’s an unused API but since it was introduced through a PEP I wanted to remove it through a PEP. On Mar 4, 2014, at 2:48 PM, Donald Stufft <donald@stufft.io> wrote:
Hello! I’d like to propose PEP464, the removal of the PyPI Mirror Authenticity API which was originally described in PEP381.
The text of the PEP is below, or it can be viewed online at https://python.org/dev/peps/pep-0464/
PEP: 464 Title: Removal of the PyPI Mirror Authenticity API Version: $Revision$ Last-Modified: $Date$ Author: Donald Stufft <donald@stufft.io> BDFL-Delegate: Richard Jones <richard@python.org> Discussions-To: distutils-sig@python.org Status: Draft Type: Process Content-Type: text/x-rst Created: 02-Mar-2014 Post-History: 03-Mar-2014 Replaces: 381
Abstract ========
This PEP proposes the deprecation and removal of the PyPI Mirror Authenticity API, this includes the /serverkey URL and all of the URLs under /serversig.
Rationale =========
The PyPI mirroring infrastructure (defined in PEP 381) provides a means to mirror the content of PyPI used by the automatic installers, and as a component of that, it provides a method for verifying the authenticity of the mirrored content.
This PEP proposal the removal of this API due to:
* No known implementations that utilize this API are known, this includes `pip <http://www.pip-installer.org/en/latest/>`_ and `setuptools <http://pythonhosted.org//setuptools/>`_. * Because this API uses DSA it is vulnerable to leaking the private key if there is *any* bias in the random nonce. * This API solves one small corner of the trust problem, however the problem itself is much larger and it would be better to have a fully fledged system, such as `The Update Framework <https://python.org/dev/peps/pep-0458/>`_, instead.
Due to the issues it has and the lack of use it is the opinion of this PEP that it does not provide any practical benefit to justify the additional complexity.
Plan for Deprecation & Removal ==============================
Immediately upon the acceptance of this PEP the Mirror Authenticity API will be considered deprecated and mirroring agents and installation tools should stop accessing it.
Instead of actually removing it from the current code base (PyPI 1.0) the current work to replace PyPI 1.0 with a new code base (PyPI 2.0) will simply not implement this API. This would cause the API to be "removed" when the switch from 1.0 to 2.0 occurs.
If PyPI 2.0 has not been deployed in place of PyPI 1.0 by Sept 01 2014 then this PEP will be implemented in the PyPI 1.0 code base instead (by removing the associated code).
No changes will be required in the installers, however PEP 381 compliant mirroring clients, such as `bandersnatch <https://pypi.python.org/pypi/bandersnatch/>`_ and `pep381client <https://pypi.python.org/pypi/pep381client/>`_ will need to be updated to no longer attempt to mirror the /serversig URLs.
Copyright =========
This document has been placed in the public domain.
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Also want to make sure the original authors of PEP381 and the mirroring clients are aware of this PEP! On Mar 5, 2014, at 7:31 PM, Donald Stufft <donald@stufft.io> wrote:
Just a ping on this :) I’m assuming nobody actually cares because it’s an unused API but since it was introduced through a PEP I wanted to remove it through a PEP.
On Mar 4, 2014, at 2:48 PM, Donald Stufft <donald@stufft.io> wrote:
Hello! I’d like to propose PEP464, the removal of the PyPI Mirror Authenticity API which was originally described in PEP381.
The text of the PEP is below, or it can be viewed online at https://python.org/dev/peps/pep-0464/
PEP: 464 Title: Removal of the PyPI Mirror Authenticity API Version: $Revision$ Last-Modified: $Date$ Author: Donald Stufft <donald@stufft.io> BDFL-Delegate: Richard Jones <richard@python.org> Discussions-To: distutils-sig@python.org Status: Draft Type: Process Content-Type: text/x-rst Created: 02-Mar-2014 Post-History: 03-Mar-2014 Replaces: 381
Abstract ========
This PEP proposes the deprecation and removal of the PyPI Mirror Authenticity API, this includes the /serverkey URL and all of the URLs under /serversig.
Rationale =========
The PyPI mirroring infrastructure (defined in PEP 381) provides a means to mirror the content of PyPI used by the automatic installers, and as a component of that, it provides a method for verifying the authenticity of the mirrored content.
This PEP proposal the removal of this API due to:
* No known implementations that utilize this API are known, this includes `pip <http://www.pip-installer.org/en/latest/>`_ and `setuptools <http://pythonhosted.org//setuptools/>`_. * Because this API uses DSA it is vulnerable to leaking the private key if there is *any* bias in the random nonce. * This API solves one small corner of the trust problem, however the problem itself is much larger and it would be better to have a fully fledged system, such as `The Update Framework <https://python.org/dev/peps/pep-0458/>`_, instead.
Due to the issues it has and the lack of use it is the opinion of this PEP that it does not provide any practical benefit to justify the additional complexity.
Plan for Deprecation & Removal ==============================
Immediately upon the acceptance of this PEP the Mirror Authenticity API will be considered deprecated and mirroring agents and installation tools should stop accessing it.
Instead of actually removing it from the current code base (PyPI 1.0) the current work to replace PyPI 1.0 with a new code base (PyPI 2.0) will simply not implement this API. This would cause the API to be "removed" when the switch from 1.0 to 2.0 occurs.
If PyPI 2.0 has not been deployed in place of PyPI 1.0 by Sept 01 2014 then this PEP will be implemented in the PyPI 1.0 code base instead (by removing the associated code).
No changes will be required in the installers, however PEP 381 compliant mirroring clients, such as `bandersnatch <https://pypi.python.org/pypi/bandersnatch/>`_ and `pep381client <https://pypi.python.org/pypi/pep381client/>`_ will need to be updated to no longer attempt to mirror the /serversig URLs.
Copyright =========
This document has been placed in the public domain.
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On 6. Mar2014, at 01:43, Donald Stufft <donald@stufft.io> wrote:
Also want to make sure the original authors of PEP381 and the mirroring clients are aware of this PEP!
Happy with it from my side. Updating bandersnatch should be trivial. Christian -- Christian Theune · gocept gmbh & co. kg flyingcircus.io · operations as a service Forsterstraße 29 · 06112 Halle (Saale) · Tel +49 345 1229889-7
I think maybe we’re ready for a decree on this? I didn’t expect many people to actually care about it since it’s unused :) On Mar 9, 2014, at 12:44 PM, Christian Theune <ct@gocept.com> wrote:
On 6. Mar2014, at 01:43, Donald Stufft <donald@stufft.io> wrote:
Also want to make sure the original authors of PEP381 and the mirroring clients are aware of this PEP!
Happy with it from my side. Updating bandersnatch should be trivial.
Christian
-- Christian Theune · gocept gmbh & co. kg flyingcircus.io · operations as a service Forsterstraße 29 · 06112 Halle (Saale) · Tel +49 345 1229889-7
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
On 11. Mar2014, at 20:01, Donald Stufft <donald@stufft.io> wrote:
I think maybe we’re ready for a decree on this? I didn’t expect many people to actually care about it since it’s unused :)
I think I qualify for being “not many people”, so yeah. ;) -- Christian Theune · gocept gmbh & co. kg flyingcircus.io · operations as a service Forsterstraße 29 · 06112 Halle (Saale) · Tel +49 345 1229889-7
Ping on a decree/pronouncement for this? :] On Mar 11, 2014, at 3:53 PM, Christian Theune <ct@gocept.com> wrote:
On 11. Mar2014, at 20:01, Donald Stufft <donald@stufft.io> wrote:
I think maybe we’re ready for a decree on this? I didn’t expect many people to actually care about it since it’s unused :)
I think I qualify for being “not many people”, so yeah. ;)
-- Christian Theune · gocept gmbh & co. kg flyingcircus.io · operations as a service Forsterstraße 29 · 06112 Halle (Saale) · Tel +49 345 1229889-7
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Let's do it. PEP accepted. On 22 March 2014 07:51, Donald Stufft <donald@stufft.io> wrote:
Ping on a decree/pronouncement for this? :]
On Mar 11, 2014, at 3:53 PM, Christian Theune <ct@gocept.com> wrote:
On 11. Mar2014, at 20:01, Donald Stufft <donald@stufft.io> wrote:
I think maybe we're ready for a decree on this? I didn't expect many
people
to actually care about it since it's unused :)
I think I qualify for being "not many people", so yeah. ;)
-- Christian Theune · gocept gmbh & co. kg flyingcircus.io · operations as a service Forsterstraße 29 · 06112 Halle (Saale) · Tel +49 345 1229889-7
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
Thank you sir! On Mar 21, 2014, at 5:25 PM, Richard Jones <r1chardj0n3s@gmail.com> wrote:
Let's do it. PEP accepted.
On 22 March 2014 07:51, Donald Stufft <donald@stufft.io> wrote: Ping on a decree/pronouncement for this? :]
On Mar 11, 2014, at 3:53 PM, Christian Theune <ct@gocept.com> wrote:
On 11. Mar2014, at 20:01, Donald Stufft <donald@stufft.io> wrote:
I think maybe we’re ready for a decree on this? I didn’t expect many people to actually care about it since it’s unused :)
I think I qualify for being “not many people”, so yeah. ;)
-- Christian Theune · gocept gmbh & co. kg flyingcircus.io · operations as a service Forsterstraße 29 · 06112 Halle (Saale) · Tel +49 345 1229889-7
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
participants (3)
-
Christian Theune
-
Donald Stufft
-
Richard Jones