[Catalog-sig] V3 PEP-draft for transitioning to pypi-hosting of release files

Nick Coghlan ncoghlan at gmail.com
Thu Mar 14 07:43:20 CET 2013

On Wed, Mar 13, 2013 at 5:16 PM, Carl Meyer <carl at oddbird.net> wrote:
> There is no "instead of." There are parallel proposals (see the TUF
> thread) to improve the security of the ecosystem, and those proposals
> are not mutually exclusive with this one. If you search the PEP text,
> note that you don't find the words "secure" or "security" anywhere
> within it, or any claims of security achieved by this proposal alone.
> There is a brief mention of MITM attacks, which is relevant to the PEP
> because avoiding external link-crawling does reduce that attack surface,
> even if other proposals will also help with that (even more).

Right, the changes to provide end-to-end security require more
extensive changes and need to be given appropriate consideration
before we proceed to implementation and deployment. This PEP,
especially with the additional changes you propose here is an
excellent approach to *near term* improvement, as a parallel effort to
the more complex proposals.

The /simple/ index will also be around for a long time for backwards
compatibility reasons, regardless of any other changes that happen in
the overall distribution ecosystem.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Catalog-SIG mailing list