[Distutils] What to do about the PyPI mirrors

martin at v.loewis.de martin at v.loewis.de
Tue Aug 6 09:15:18 CEST 2013

Quoting Nick Coghlan <ncoghlan at gmail.com>:

> On 6 August 2013 16:09, Christian Theune <ct at gocept.com> wrote:
>> Hi,
>> looks like I'm late to the party to figure out that I'm going to be hurt
>> again.
> That's why I asked for this to be put through the PEP process: to give
> it more visibility, and provide more opportunity for people
> potentially affected to have a chance to comment and offer
> alternatives. Giving third parties the opportunity to read python.org
> cookies indefinitely isn't an option.

Define "third party". There are a number of organisations other than the
PSF that can read python.org cookies.

As Noah explains, it's a matter of trust. Noah chooses to trust Fastly,
I choose to trust Christian Theune. We both have then imposed our trust
on the community.

In any case, I consider the cookie issue a red herring. Mirror operators
could only steal cookies if users actually pointed their web browsers to
the mirrors. They typically don't, since they use setuptools or pip,
which doesn't even have access to the cookies. And, if a mirror operator
actually does request cookies, there is a high risk in being caught in
doing so. If that happens, the mirror operator will not only lose the mirror,
but also lose community trust.


More information about the Distutils-SIG mailing list