[Catalog-sig] [DRAFT] Proposal for fixing PyPI/pip security
Jesse Noller
jnoller at gmail.com
Mon Feb 11 11:54:10 CET 2013
On Monday, February 11, 2013 at 2:01 AM, Lennart Regebro wrote:
> On Sun, Feb 10, 2013 at 11:20 PM, Jesse Noller <jnoller at gmail.com (mailto:jnoller at gmail.com)> wrote:
> > OK, so, I think there's a lot of stuff conflated here. It'll probably help
> > to simplify things if we decouple them.
> >
> > First, the point about serving metadata over a secure channel and data over
> > a cheap one is right on. Given the size of your metadata versus actual data,
> > maintaining a central metadata service but not caring about where/how data
> > is hosted is the right way to go. Note that that channel doesn't have to be
> > SSL- a verifying cert on device would still give you everything you needed.
>
>
>
> Note that for stability reasons, we still care where it's hosted. It
> should be hosted on PyPI, unless you explicitly say to use another
> server. This is because otherwise you might in a bigger system need to
> fetch the files from four different servers, and then you have four
> separate single points of failure when installing.
>
> Caching may be a solution here, but apparently there were legal issues
> around that, so lets not.
>
> //Lennart
I was quoting geremy; who was in turn critiquing giovanni's proposal
More information about the Catalog-SIG
mailing list