[Catalog-sig] V3 PEP-draft for transitioning to pypi-hosting of release files
donald at stufft.io
Wed Mar 13 18:12:59 CET 2013
On Mar 13, 2013, at 10:26 AM, PJ Eby <pje at telecommunity.com> wrote:
> On Wed, Mar 13, 2013 at 7:21 AM, holger krekel <holger at merlinux.eu> wrote:
>> Hi all,
>> after some more discussions and hours spend by Carl Meyer (who is now
>> co-authoring the PEP) and me, here is a new V3 pre-submit draft.
>> It is now more ambitious than the previous draft as should be obvious
>> from the modified abstract (and Carl Meyers and Philip's earlier
>> interactions on this list). There also are more details of how
>> the current link-scraping works among other improvements and incorporations
>> of feedback from discussions here.
>> We intend to submit this draft tonight to the PEP editors.
>> Feedback now and later remains welcome. I am sure there are issues to
>> be sorted and clarified, among them the versioning-API suggestion by
>> Thanks for everybody's support and feedback so far,
> Looks good to me!
> Setuptools' two releases will probably look like this:
> 1. Default to externals index, warn when fetching URLs that are not
> the same host as the index
> 2. Default to externals index, reject URLs that are not the same host
> as the index unless --allow-hosts is configured (IOW, default
> allow-hosts to equal index-url host)
> That way, external URLs can still be discovered by the user, but the
> default configuration is still secure.
> Catalog-SIG mailing list
> Catalog-SIG at python.org
For the record I support the PEP and these 2 steps sound ok to me.
My only suggestion is an additional rel attribute for indexes to indicate this is index hosted file incase the index domain and the package host domain differ (as is the case with Crate).
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Catalog-SIG