[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site
Donald Stufft
donald at stufft.io
Tue Mar 12 19:17:55 CET 2013
On Mar 12, 2013, at 12:41 PM, "M.-A. Lemburg" <mal at egenix.com> wrote:
> On 12.03.2013 17:29, Jacob Kaplan-Moss wrote:
>> On Tue, Mar 12, 2013 at 11:19 AM, M.-A. Lemburg <mal at egenix.com> wrote:
>>> So let's do this carefully and find a good solution before
>>> jumping to conclusions.
>>
>> Completely agreed; rushing is a bad idea.
>>
>> But so is not starting. What I'm seeing — as a total outsider, a user
>> of these tools, not someone who creates them — is that a bunch of
>> people (Holger, Donald, Richard, the pip maintainers, etc.) have the
>> beginnings of a solution ready to go *right now*, and I want to
>> capture that energy and enthusiasm before it evaporates.
>>
>> This isn't an academic situation; I've seen companies decline to adopt
>> Python over this exact security issue. I can't share details in
>> writing but ask me at PyCon and I can tell you some stories.
>> Externally-hosted packages are a security risk, full stop.
>>
>> There's likely a even better solution involving strong cryptography
>> and such, but there's also an incremental improvement on the table
>> right now. Nobody's suggesting that we do this hastily or all at once,
>> but there *is* a proposal to get the process started right now. Why
>> shouldn't we get going while there's momentum?
>
> Sure; I'm just saying that we need to test drive the proposal
> before actually adopting it.
fwiw https://restricted.crate.io/ is the simple index minus any external url and has existed for over a year. I use it full time. and have others doing the same.
>
> I'm also trying to get some of the more radical unneeded changes
> reconsidered. We don't need to break things just because we can -
> let's leave that to our kids ;-)
>
> Holger has already addressed much of this in his V2 proposal
> and apart from the time frame and some details, it looks good.
>
> Meanwhile, I've been playing around with the earlier proposal
> I put forward:
>
> http://wiki.python.org/moin/PyPI/DownloadMetaDataProposal
>
> to secure external links and found several issues while
> implementing it. It's easy to draw up a design, but you
> only get down to the problems when actually trying to
> implement it.
>
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source (#1, Mar 12 2013)
>>>> Python Projects, Consulting and Support ... http://www.egenix.com/
>>>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/
>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
> ________________________________________________________________________
>
> ::::: Try our mxODBC.Connect Python Database Interface for free ! ::::::
>
> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
> Registered at Amtsgericht Duesseldorf: HRB 46611
> http://www.egenix.com/company/contact/
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130312/cc30ca9d/attachment.pgp>
More information about the Catalog-SIG
mailing list