[Distutils] What to do about the PyPI mirrors
Donald Stufft
donald at stufft.io
Tue Aug 6 13:08:06 CEST 2013
On Aug 6, 2013, at 6:45 AM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
> Assuming the main breakage comes from people having hard-coded the
> mirror names in configuration files: Why not leave the *.pypi names
> available "forever" (ten years), all pointing to the master?
The major reason (for me, Noah might have others as Infra lead) is that they
have never been available via TLS, so everyone using them hard-coded is
using them hard-coded as HTTP. A lot of those people likely don't realize that
by using them they are risking a man in the middle attack. So by continuing
to support them we are essentially continuing to enable a grossly insecure
setting with the very likely case being the folks vulnerable to it have not made
an informed decision to do so and instead have merely done what they
thought was best practice. Ensuring that the transport is safe is one of my
primary goals right now.
A secondary (but minor) reason is simply one of logistics. Throughout various
migrations around as things on PyPI settled the ones that do point back to
PyPI have randomly become broken, sometimes for weeks or months. It's
easy to miss checking all of them that they continue to work and I believe
that it's better to have a clean break than half ass support those names.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130806/0c03d74c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130806/0c03d74c/attachment.pgp>
More information about the Distutils-SIG
mailing list