[Distutils] Request for Input re Packaging

Jeff Rush jeff at taupro.com
Thu Mar 20 21:42:10 CET 2008

Tarek Ziadé wrote:
> On Thu, Mar 20, 2008 at 12:17 AM, Jeff Rush <jeff at taupro.com 
>       - move to https/ssl
> There are a few problems in this area, also related to indexing 
> we need to work out imho:
> When a package defines a https://... link into the url meta-data, the 
> link will
> be added in the Simple index besides other links. For instance, people
> that uses sourceforge can have such urls. Even if the package egg or tarball
> is available at PyPI, the home page url will appear at #1 on the index page.
> This will make tools like easy_install read this link before it reaches 
> the egg/tarball.
> This is OK as long as the users behind the firewalls are allowed to call 
> htppS...

It's not clear to me the correct behavior - help me understand:

1. Are there firewall policies that block *all* https access?   I've
    only encountered more fine-grained firewalls because, to me, use
    of https for _some_ sites is a necessary and expected behavior.

2. If we moved PyPI to serve exclusively over https, for integrity
    reasons, would this have a major negative impact?

3. Would it be better to sort the URLs, to place the https ones at
    the end, a and allow a fetch error to occur, or provide a
    .distutils config option to just quietly skip https sites?

4. Is it not a problem that, when checking for newer versions,
    setuptools would be unable to access a newer version on an
    https site and would have to settle for an older version
    on a non-https site, leading to stale packages?


More information about the Distutils-SIG mailing list