[Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement

M.-A. Lemburg mal at egenix.com
Thu Jan 21 12:24:33 CET 2010 

Steve Holden wrote:
> Tarek Ziadé wrote:
>> 2010/1/20 "Martin v. Löwis" <martin at v.loewis.de>:
>>>> Of course, there's also a human dimension : we suppose that the people
>>>> running the mirror are people we can trust because they can
>>>> technically do malicious things in the mirror since we don't really
>>>> have any real protection (*yet*).
>>> That's not true: users of mirrors can verify that the mirrors are
>>> authentic. Neither can malicious operators modify the contents of
>>> their mirrors without clients noticing, nor can careless mirror
>>> operators threaten the integrity of a mirror even assuming somebody
>>> breaks into the mirror.
>>
>> But users can't verify that the archive they download using tools like
>> easy_install are the real ones.
>>
>> If I am a bad guy and I run a mirror, I can change a setup.py file in
>> an archive and
>> make it do malicious things on the computer, and let easy_install
>> execute it for me.
>> The only verification done is the md5 hash on the file, which can be
>> changed on the mirror (nothing prevents the mirror to compute its own
>> MD5 fragments in the download URLs)
>>
>> Regards
>> Tarek
>>
> I have in the past suggested that we consider hosting services at
> diverse places. I'd have thought this was a prima facie case for
> distributed hosting facilities. If we have that, we have no need for
> mirrors, but instead for systems management. I know of at least three
> reputable US hosting companies who I am pretty sure would help, and a
> major academic hosting organization too. Also maybe Snakebite might be
> another location?

That would be my preference as well.

Services like Amazon CloudFront or Akamai could easily scale up to
millions of users.

Since the PyPI data is already available as set of static files
(at least from looking at the simple/ index), pushing this through
such content delivery systems should easily be possible.

Such a setup would avoid all the legalese issues, since the PSF
would run the infrastructure and also make monitoring the service
a lot easier.

Moreover, all the complicated stuff like on-demand content
distribution is handled by those services automatically.

> This is an infrastructure committee task really. Brett? Martin?
> 
> Brett: maybe your closing report to the board could summarize the
> overall hosting situation?

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Jan 21 2010)
>>> Python/Zope Consulting and Support ...        http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ...             http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...        http://python.egenix.com/
________________________________________________________________________

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
    D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
           Registered at Amtsgericht Duesseldorf: HRB 46611
               http://www.egenix.com/company/contact/

More information about the Catalog-SIG mailing list