[Catalog-sig] A 90% Solution

[PJ Eby]

Just a thought, but...

If 90% of PyPI projects do not have any external files to download,
then, wouldn't it make sense to:

1. Add a project-level option to enable or disable the adding of the
rel="" attribute to /simple links (but not affecting the links in any
other way)
2. Default it to disabled for new projects, and
3. Set it to disabled *now* for the 90% of projects that *don't have
external files*?

If the arguments about banning external links are as valid and
important as some people claim, wouldn't it make sense to do this part
*now*, without first requiring a commitment to force the switch to a
disabled state in the future?

Immediately, 90% of the problem goes away - no random spidering of
stuff that doesn't contain a link now, but which could be taken over
by a malicious party in the future, and 90% fewer sites having to be
up in order for you to build something from PyPI.

Seems like a serious win to me -- and one that might not even need a PEP.

Next steps after this would be providing tools to help people move
their files and links, promoting that people switch it off if they no
longer support the offsite links, educating about security concerns,
etc.

I really don't understand why the 90% solution isn't *already* the
consensus position, since it doesn't preclude follow-on efforts
towards reducing the 10% towards 0%.

And if the problem is so important, why must we keep 90% of the
problems in place, just so we can keep arguing about censoring the
10%?  That doesn't make sense to me.

To me, if somebody's injured, the first thing you do is clean and
close the wound, not argue about whether it's a complete solution and
what might happen days or weeks later.

Just a thought.