[Catalog-sig] V4 Pre-PEP: transition to release-file hosting on PYPI

[PJ Eby]

On Sat, Mar 16, 2013 at 3:15 AM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>
> On 15 Mar 2013 16:16, "Carl Meyer" <carl at oddbird.net> wrote:
>>
>> tl;dr: I see your points, we'll change the PEP to allow clients to use
>> hostnames instead of the rel attributes if they prefer.
>
> I will veto any such change. Clients MUST NOT assume that the architecture
> of the index service will be limited to a single host name, they must
> process the explicit metadata provided by the index that indicates which
> hosts the index controls.
>
> Adding a "--trust-indices" flag to make this optional in setuptools would be
> fine, but it seems perverse to trust every aspect of an index *except* its
> claims to control additional hosts.

Actually, setuptools trusts redirects, so that mechanism is available
for splitting the hosted files to another domain.

As it stands, though, I don't see a way to support this without
introducing confusion.  The advantage of using allow-hosts based on
the index host is that it *also* specifies what to do with dependency
links provided by individual packages; the PEP does not provide any
real guidance on this point.

So, I have to withdraw my support for the PEP with these recent
changes, as it no longer reflects the approach I previously agreed to,
and as yet there have been no alternatives proposed to address the
user confusion issues (which IMO at least are a big part of the point
of having the PEP).

Of course, if redirection is required for non-extrapolatable
hostnames, or if somebody comes up with a new and brilliant scheme to
manage the menage of permissions needed across dependency_links, the
index, and general host trusting issues (while remaining
comprehensible and predictable to end users), I'll certainly have a
look again.  But I took the weekend off from this discussion to try to
come up with one myself, and so far I've got nothing.