[Catalog-sig] Fwd: readthedocs.org or packages.python.org?

martin at v.loewis.de martin at v.loewis.de
Thu Feb 7 10:15:13 CET 2013


Zitat von Jesse Noller <jnoller at gmail.com>:

> It's user uploaded content we already know to be unsafe, that we're  
> putting on a different domain. Why host it on the same box when we  
> already know VM isolation reduces the attack surface of each VM?

PyPI is fundamentally about user-uploaded content. The regular release
files uploaded are just as "unsafe", as well (e.g. they might contain
viruses). The box that serves PyPI now can easily serve the new domain.
It should; trying to get the files from there to a new box just makes
things unnecessarily difficult. Please trust me on that.

Regards,
Martin




More information about the Catalog-SIG mailing list