[Catalog-sig] Pypi cdn for hosted packages

Donald Stufft donald.stufft at gmail.com
Fri Mar 1 01:13:00 CET 2013

On Thursday, February 28, 2013 at 10:13 AM, Noah Kantrowitz wrote:
> Reponding from my phone quickly before this gets any further, will write more later. Plan is to have pypi move package download links to a new hostname (probably pypi-download.python.org (http://pypi-download.python.org)) and then throw that behind fastly. This sidesteps 100% of issues with dynamic pages, etc. Simple index with be handled secondarily.
Just an aside, can we use a pythonhosted.org domain, like
https://packages.pythonhosted.org/ or something?

That will prevent gifar like attacks where someone finds a way
to create a file that both looks like a valid file to PyPI, but
that browsers will interpret as something executable. Or rather
it prevents it from being able to attack *.python.org.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130228/4f755631/attachment.html>

More information about the Catalog-SIG mailing list