[Distutils] Request for Input re Packaging
Jeff Rush
jeff at taupro.com
Thu Mar 20 21:42:10 CET 2008
Tarek Ziadé wrote:
>
> On Thu, Mar 20, 2008 at 12:17 AM, Jeff Rush <jeff at taupro.com
>
> - move to https/ssl
>
> There are a few problems in this area, also related to indexing
> we need to work out imho:
>
> When a package defines a https://... link into the url meta-data, the
> link will
> be added in the Simple index besides other links. For instance, people
> that uses sourceforge can have such urls. Even if the package egg or tarball
> is available at PyPI, the home page url will appear at #1 on the index page.
>
> This will make tools like easy_install read this link before it reaches
> the egg/tarball.
>
> This is OK as long as the users behind the firewalls are allowed to call
> htppS...
It's not clear to me the correct behavior - help me understand:
1. Are there firewall policies that block *all* https access? I've
only encountered more fine-grained firewalls because, to me, use
of https for _some_ sites is a necessary and expected behavior.
2. If we moved PyPI to serve exclusively over https, for integrity
reasons, would this have a major negative impact?
3. Would it be better to sort the URLs, to place the https ones at
the end, a and allow a fetch error to occur, or provide a
.distutils config option to just quietly skip https sites?
4. Is it not a problem that, when checking for newer versions,
setuptools would be unable to access a newer version on an
https site and would have to settle for an older version
on a non-https site, leading to stale packages?
-Jeff
More information about the Distutils-SIG
mailing list