[Catalog-sig] V3 PEP-draft for transitioning to pypi-hosting of release files

PJ Eby pje at telecommunity.com
Wed Mar 13 15:26:16 CET 2013

On Wed, Mar 13, 2013 at 7:21 AM, holger krekel <holger at merlinux.eu> wrote:
> Hi all,
> after some more discussions and hours spend by Carl Meyer (who is now
> co-authoring the PEP) and me, here is a new V3 pre-submit draft.
> It is now more ambitious than the previous draft as should be obvious
> from the modified abstract (and Carl Meyers and Philip's earlier
> interactions on this list).  There also are more details of how
> the current link-scraping works among other improvements and incorporations
> of feedback from discussions here.
> We intend to submit this draft tonight to the PEP editors.
> Feedback now and later remains welcome.  I am sure there are issues to
> be sorted and clarified, among them the versioning-API suggestion by
> Marc-Andre.
> Thanks for everybody's support and feedback so far,
> holger

Looks good to me!

Setuptools' two releases will probably look like this:

1. Default to externals index, warn when fetching URLs that are not
the same host as the index
2. Default to externals index, reject URLs that are not the same host
as the index unless --allow-hosts is configured  (IOW, default
allow-hosts to equal index-url host)

That way, external URLs can still be discovered by the user, but the
default configuration is still secure.

More information about the Catalog-SIG mailing list