[Distutils] Request for Input re Packaging

Tarek Ziadé ziade.tarek at gmail.com
Fri Mar 21 20:03:07 CET 2008 

oups, forgot to cc to the list

On Fri, Mar 21, 2008 at 12:28 AM, Tarek Ziadé <ziade.tarek at gmail.com> wrote:

>
>
> On Thu, Mar 20, 2008 at 9:42 PM, Jeff Rush <jeff at taupro.com> wrote:
>
> > Tarek Ziadé wrote:
> > >
> > > On Thu, Mar 20, 2008 at 12:17 AM, Jeff Rush <jeff at taupro.com
> > >
> > >       - move to https/ssl
> > >
> > > There are a few problems in this area, also related to indexing
> > > we need to work out imho:
> > >
> > > When a package defines a https://... link into the url meta-data, the
> > > link will
> > > be added in the Simple index besides other links. For instance, people
> > > that uses sourceforge can have such urls. Even if the package egg or
> > tarball
> > > is available at PyPI, the home page url will appear at #1 on the index
> > page.
> > >
> > > This will make tools like easy_install read this link before it
> > reaches
> > > the egg/tarball.
> > >
> > > This is OK as long as the users behind the firewalls are allowed to
> > call
> > > htppS...
> >
> > It's not clear to me the correct behavior - help me understand:
> >
> > 1. Are there firewall policies that block *all* https access?   I've
> >    only encountered more fine-grained firewalls because, to me, use
> >    of https for _some_ sites is a necessary and expected behavior.
>
>
> That happened last week for a developer on one project at a customer
> place. I am not saying it is the right behavior, but that's how I found
> the problem.
>
> Now maybe that such a firewall is too restrictive anyway to allow the
> usage of a web based repository such as PyPI
>
>
> > 2. If we moved PyPI to serve exclusively over https, for integrity
> >    reasons, would this have a major negative impact?
> >
>
> Related to 1. I guess it is a choice. As long as it is easy to
> created mirrors of PyPI. That's what we do in some projects.
>
> Now for https, like Dave says, we cannot create at this time
> a robust auth handler for it, and our PyPI implementation uses http auth.
>
> So if this patch is pushed it is very cool :)
>
>
> > 3. Would it be better to sort the URLs, to place the https ones at
> >    the end, a and allow a fetch error to occur, or provide a
> >    .distutils config option to just quietly skip https sites?
>
>
> I think ordering the URLs and puting the *.egg, *.tar.gz, etc..
> at first would be good yes, as easy_install fetches them in order.
>
> It will also make the system quicker I think, if easy_install
> would not fetch external home URLs when the right packages
> are available on the page.
>
> Maybe those could be dropped when the dists are uploaded
> That's what I am doing on the PyPI server I work on.
>
>
>
> > 4. Is it not a problem that, when checking for newer versions,
> >    setuptools would be unable to access a newer version on an
> >    https site and would have to settle for an older version
> >    on a non-https site, leading to stale packages?
> >
>
> Good point. But I guess that as long as the system allows
> external urls, we can't prevent from such failures.
>
> We have some mirrors for that as a matter of fact,
> not to rely on third party servers that are sometimes down
> or moving things around.
>
>
>
>
> >
> > -Jeff
> >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.python.org/pipermail/distutils-sig/attachments/20080321/db9c2e23/attachment-0001.htm

More information about the Distutils-SIG mailing list