[Distutils] Remove the "Mirror Authenticity" API
Donald Stufft
donald at stufft.io
Sun Sep 29 05:07:40 CEST 2013
On Sep 28, 2013, at 10:16 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> On 29 September 2013 11:10, Noah Kantrowitz <noah at coderanger.net> wrote:
>> +1
>>
>> --Noah
>
> Deprecating it as a consequence of PEP 449 makes sense, but is there
> any urgency to dropping it?
>
> I'm not necessarily opposed to removing it, but what's the specific
> *gain* in doing so? If it's just a matter of wanting to skip
> implementing it for Warehouse, then I'd say +1 to leaving it out of
> the API reimplementation, but I don't yet see the advantage in
> removing it from the existing PyPI code base.
>
> If we do remove it, then it should probably only be after all the old
> autodiscovery domain names have been redirected back to the main PyPI
> server.
>
> Cheers,
> Nick.
>
> --
> Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
Well the underlying reason is I think it's a dead end and I don't want to
implement it in Warehouse.
The reason for wanting to remove it *now* instead of just letting it naturally
die when Warehouse becomes a thing is to remove the (unlikely) chance
that someone starts to depend on it in the interim. Basically since afaik
nobody even uses it (Crate did for awhile and I had to disable it because
of false failures) the risk is minimal to removing it outright to prevent it from
being used.
Plus if the secret key has leaked (unlikely but possible given the implementation
and the use of DSA) it's not just "cruft" it's outright dangerous.
-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130928/8825d8f6/attachment.sig>
More information about the Distutils-SIG
mailing list