[Catalog-sig] Use user-specific site-packages by default?
Donald Stufft
donald.stufft at gmail.com
Tue Feb 5 15:24:58 CET 2013
On Tuesday, February 5, 2013 at 9:05 AM, M.-A. Lemburg wrote:
> Hmm, packages aren't validated on PyPI either. You'd need an appstore
> team for that :-)
>
> Note that file storage itself can be insecure without any problem.
> You only have to make sure that the file's contents of the downloaded
> version matches the one that the author registered with PyPI (and, of
> course, you have to make that registration process secure), regardless
> of where you downloaded it from.
>
> IMO, PyPI would scale a lot better if it were to only manage the
> meta data and security aspect of the package distribution and not
> also deal with distribution of the files themselves, but yeah, that's
> a different discussion ;-)
Validated is probably the wrong word. But I can get an audit log
of everything that's been done to a package on PyPI (and in the
future I hope an audit log that can't easily be tampered with).
It's also a single point to keep secure instead of PyPI + whatever
servers the authors of packages happened to have shoved their stuff
on.
It's also a single point to keep running. More than one problem
with shitty hosts has been solved by me telling people to use
the simple index on Crate that excludes external packages.
If every package author hosts their own packages and I
have 20 dependencies, and every server has a theortical
99% uptime (may be more, may be less, just a hypothetical
number) by expected average uptime for me to install those
20 dependencies is `0.99**21` or roughly 81%. A similar (but
much harder to quantify) effect will happen with security.
However we already have a SPOF for both uptime and security
with PyPI so attempting to limit us to 1 SPOF instead of
1 + number_of_packages_i_need is a net win AND it makes
it easier to get rid of the SPOF either by using a CDN, using
mirrors, or both.
The required storage will go up sure, I'm going to assert that
egenix is in the minority for having quite that large of a requirement
but regardless storage itself is fairly cheap.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130205/cad5d7fb/attachment-0001.html>
More information about the Catalog-SIG
mailing list