[Distutils] What to do about the PyPI mirrors

Sun Aug 4 10:48:40 CEST 2013

On Aug 4, 2013, at 3:14 AM, Noah Kantrowitz <noah at coderanger.net> wrote:

> 
> On Aug 3, 2013, at 5:17 PM, Donald Stufft wrote:
> 
>> 
>> On Jul 25, 2013, at 1:38 AM, Richard Jones <r1chardj0n3s at gmail.com> wrote:
>> 
>>> Hi all,
>>> 
>>> I've just been contacted by someone who's set up a new public mirror
>>> of PyPI and would like it integrated into the mirror ecosystem.
>>> 
>>> I think it's probably time we thought about how to demote the mirrors:
>>> 
>>> - they cause problems with security (being under the python.org domain
>>> causes various issues including inability to use HTTPS and cookie
>>> issues)
>>> - they're no longer necessary thanks to the CDN work
>>> 
>>> So, things to do:
>>> 
>>> - links and information on PyPI itself can be removed
>>> - tools that use mirrors still need to be able to but mention of using
>>> public mirrors is probably something to demote
>>> 
>>> These are just rough thoughts that occurred to me just now.
>>> 
>>> 
>>>  Richard
>>> _______________________________________________
>>> Distutils-SIG maillist  -  Distutils-SIG at python.org
>>> http://mail.python.org/mailman/listinfo/distutils-sig
>> 
>> Can we close the loop on this? Ideally I think any public mirrors
>> should need to register their own domain name. We can either
>> maintain a list of unofficial mirrors, or Ken Cochrane has been
>> doing a good job I think of keeping a list (as well as tracking some
>> basic stats) at http://pypi-mirrors.org/ so maybe we can just point
>> people to that as the list of mirrors?
>> 
>> Ideally we should get all of them off the *.python.org namespace.
> 
> As the one with the finger on the not-the-metaphorical button, I think we should say that two (2) months from now, on October 1st 2013, the [a-g].pypi.python.org DNS names will all be redirected to front.python.org and another two months beyond that (2013-12-01) they will all be deleted (along with last.pypi.python.org). That seems like a very generous deprecation schedule, especially given that all the needs to change is some domain registrations.
> 
> --Noah
> 

Personally I +1 this proposal, it's been near 10 days with basically zero response of any kind, and no response to the negative. 

The only change I'd possibly make is change the deletion period to some period of time after the pip 1.5 release.

5 days ago my branch to remove mirroring support from pip was merged into pip's develop branch. I don't see any direct support for mirroring in setuptools nor do I see any in buildout so I think it makes sense to hold off on the final deletion until after the only of the 3 major installers that seems to have any direct support for mirrors has released a version without it plus a bit of lead time for people to switch.

So I guess revised I'd say in roughly two months on Oct 1st the [a-g].pypi.python.rg DNS names will be redirected to front.python.org and then roughly 2 months after pip has released version 1.5 with the removal of the mirroring support they will be deleted along with last.pypi.python.org.

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130804/a631b6f5/attachment.pgp>