[Catalog-sig] Deprecate External Links

Donald Stufft donald.stufft at gmail.com
Wed Feb 27 17:36:10 CET 2013


On Wednesday, February 27, 2013 at 11:30 AM, Ronald Oussoren wrote:
> The security bits are still in flux, AFAIK both proposals won't require SSL for the 
> actual download to be secure.
> 
> 

The proposals you are talking about should not be depended on solely, the best
method for hosting a secure infrastructure is "defense in depth". Basically you
know you cannot make a perfect system, so you attempt to join several imperfect
systems together with the idea that each one makes it harder to compromise.
> 
> > > 
> > > Instead of suggesting to removing support for externally hosted packages,
> > > why not propose a mechanism to provide a more direct/secure way to
> > > reference them ?
> > > 
> > 
> > I did mention a method for doing that in my email. However there are reasons
> > beyond the security ones to require packages being hosted on PyPI. Namely
> > uptime, privacy, and performance.
> > 
> 
> 
> You only mentioned restricting downloads to the 'Download-URL' property in the 
> package metadata. Another alternative would be to add a PyPI API for registering
> specific downloads with the same restrictions on filenames as for files hosted 
> by PyPI itself.  With that PyPI could be queried for the exact downloads associated
> with a release instead of having to perform screen scaping.
> 
> 

Yes, I did not mention every possible method. There are again other reasons for
keeping things centralized. Remember that not every user of Python nor PyPI
is located in a country where they can reasonably assume that traffic is not
being watched or meddled with. https://ooni.torproject.org/ attempts to catalog
this (using Python by the way!).
> 
> At this time I don't know if requiring that files are hosted on PyPI is a good idea,
> as Marc-Andre said there are reasons for hosting them elsewhere.  That might
> change when the package signing infrastructure is further specified.
> 
> Ronald
> 
> P.S. And only using downloads hosted on PyPI doesn't require changes to PyPI
> anyway, just patches to pip and setuptools :-)
> 
> 

I have issues for pip and buildout currently, and plan to file more. However there
is a lot of old versions of these software in use that would benefit from PyPI implementing
this change. 
> 
> > _______________________________________________
> > Catalog-SIG mailing list
> > Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> > http://mail.python.org/mailman/listinfo/catalog-sig
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130227/baf76f33/attachment-0001.html>


More information about the Catalog-SIG mailing list