[Catalog-sig] A 90% Solution

Donald Stufft donald at stufft.io
Tue Mar 12 00:39:50 CET 2013

On Mar 11, 2013, at 7:04 PM, PJ Eby <pje at telecommunity.com> wrote:

> Just a thought, but...
> If 90% of PyPI projects do not have any external files to download,
> then, wouldn't it make sense to:

To be accurate it's 90% don't have any files/release available *only* externally. Most have external  files to download because it's very rare that a project doesn't include an home_page or a download_url, especially since distutils complains if you don't.

> 1. Add a project-level option to enable or disable the adding of the
> rel="" attribute to /simple links (but not affecting the links in any
> other way)
> 2. Default it to disabled for new projects, and
> 3. Set it to disabled *now* for the 90% of projects that *don't have
> external files*?

+1 except 1. should be to remove the links entirely from the /simple/
index, not to just remove the rel attribute.

> If the arguments about banning external links are as valid and
> important as some people claim, wouldn't it make sense to do this part
> *now*, without first requiring a commitment to force the switch to a
> disabled state in the future?
> Immediately, 90% of the problem goes away - no random spidering of
> stuff that doesn't contain a link now, but which could be taken over
> by a malicious party in the future, and 90% fewer sites having to be
> up in order for you to build something from PyPI.
> Seems like a serious win to me -- and one that might not even need a PEP.

Absolutely, and similar to something I asked Richard at the start of this, I'm waiting on an OK from someone with authority that they'd merge such a change and I'll have a PR out for it asap after that.

> Next steps after this would be providing tools to help people move
> their files and links, promoting that people switch it off if they no
> longer support the offsite links, educating about security concerns,
> etc.
> I really don't understand why the 90% solution isn't *already* the
> consensus position, since it doesn't preclude follow-on efforts
> towards reducing the 10% towards 0%.
> And if the problem is so important, why must we keep 90% of the
> problems in place, just so we can keep arguing about censoring the
> 10%?  That doesn't make sense to me.
> To me, if somebody's injured, the first thing you do is clean and
> close the wound, not argue about whether it's a complete solution and
> what might happen days or weeks later.

Like I said above, I'm just waiting on an ok that this has a chance of landing before bothering to implement it.

> Just a thought.
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130311/030cbce0/attachment.pgp>

More information about the Catalog-SIG mailing list