[Catalog-sig] Deprecate External Links

Donald Stufft donald.stufft at gmail.com
Wed Feb 27 18:44:41 CET 2013 

On Wednesday, February 27, 2013 at 12:22 PM, holger krekel wrote:
> The main means of securing against tampering is author-signatures
> and verification by installers. If we have that, the download location
> does not matter (pypi/CDN/google/...).

Again we don't have that yet, It's only 1 layer, and that doesn't solve
all of the issues with external packages. 
> 
> 
> > 2. External links decrease the expected uptime for a particular set
> > of requirements. PyPI itself has become very stable, however
> > the same cannot be said for all of the hosts linked that the toolchain
> > processes. Each new host is an additional SPOF.
> > 
> > Ex: I depend on PyPI and 10 other external packages, each
> > service has a 99% uptime so my expected uptime to
> > be able to install all my requirements would be ~89% (0.99 ** 11).
> > 
> 
> 
> There are many links which go to google, bitbucket or github -
> i doubt those services have worse availability than pypi.python.org (http://pypi.python.org),
> rather better.

Doesn't matter if they have worse or better, you cannot increase
availability by adding more points of failure, at best you keep it
the same, typically you decrease it. 
> 
> Also we would be loosing a lot of packages because i expect there to
> be a non-trivial amount of packages which will not be transferred to 
> pypi.python.org (http://pypi.python.org) no matter how much people here think it's cool.
> 
> Why not first have an a good infrastructure and capacity with
> pypi.python.org (http://pypi.python.org) so that people *want* to move their files there?

PyPI has had very good uptime since the move to OSL. I don't have
numbers handy but I believe I can get them. 
> 
> best,
> holger
> 
> 
> > 3. Breaks the ability for a CDN and/or mirroring infrastructure to provide
> > increased uptime and better latency/throughput across the globe.
> > 4. Privacy implications, as a user it is not particularly obvious when
> > I run `pip install Foo` what hosts I will be able issuing requests against.
> > It is obvious that I will be contacting PyPI and I will have made the
> > decision to trust PyPI however it is not obvious what other hosts will
> > be able to gather information about me, including what packages I am
> > installing. This becomes even more difficult to determine the deeper
> > my dependency tree goes.
> > 
> 
> 
> 
> > _______________________________________________
> > Catalog-SIG mailing list
> > Catalog-SIG at python.org (mailto:Catalog-SIG at python.org)
> > http://mail.python.org/mailman/listinfo/catalog-sig
> > 
> 


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130227/7e5066c8/attachment.html>

More information about the Catalog-SIG mailing list