[Catalog-sig] V4 Pre-PEP: transition to release-file hosting on PYPI

Donald Stufft donald at stufft.io
Fri Mar 15 16:22:05 CET 2013

On Mar 15, 2013, at 11:15 AM, PJ Eby <pje at telecommunity.com> wrote:

> Do we even need the internal/external rel info?  I was planning to
> just use the URL hostname.
> i.e., are there any use cases for designating an externally-hosted
> file internal, or an internally-hosted file external?  If not, it
> seems the rel="" is redundant.
> It's also more work to implement, vs. just defaulting --allow-hosts to
> be the --index-url host; a strategy ISTM pip could also use, since it
> has the same two options available.
> Also, if we're not doing homepage/download crawling any more, I was
> hoping we could just drop the code that 'parses' rel="" links in the
> first place, as it's an awkward ugly hack.  ;-)
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig

It makes things uglier for end users if you have packages and the simple index hosted on several sites. It also just adds extra information so if setuptools/easy_install wants to just use the host case that wouldn't be bad.

It's actually more defensible to keep the service (ala PyPI/simple index) and the user uploaded content (ala distribution files) hosted on separate domains as it makes things like gifar style attacks harder to execute. Making a move like that would break mirroring ATM on PyPI but it's good information to include on the simple index to make it simpler for tools to determine what links are internal and what are external. 

FWIW Crate has the uploaded files on an external domain for just this reason. (Also for CDN reasons but that's because a SSL CDN is $$$$).

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130315/3bc7ddb3/attachment.pgp>

More information about the Catalog-SIG mailing list