[Distutils] Remove the "Mirror Authenticity" API

Sun Sep 29 08:13:50 CEST 2013

On 29 September 2013 13:07, Donald Stufft <donald at stufft.io> wrote:
>
> On Sep 28, 2013, at 10:16 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>
>> On 29 September 2013 11:10, Noah Kantrowitz <noah at coderanger.net> wrote:
>>> +1
>>>
>>> --Noah
>>
>> Deprecating it as a consequence of PEP 449 makes sense, but is there
>> any urgency to dropping it?
>>
>> I'm not necessarily opposed to removing it, but what's the specific
>> *gain* in doing so? If it's just a matter of wanting to skip
>> implementing it for Warehouse, then I'd say +1 to leaving it out of
>> the API reimplementation, but I don't yet see the advantage in
>> removing it from the existing PyPI code base.
>>
>> If we do remove it, then it should probably only be after all the old
>> autodiscovery domain names have been redirected back to the main PyPI
>> server.
>>
>> Cheers,
>> Nick.
>>
>> --
>> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
>
> Well the underlying reason is I think it's a dead end and I don't want to
> implement it in Warehouse.
>
> The reason for wanting to remove it *now* instead of just letting it naturally
> die when Warehouse becomes a thing is to remove the (unlikely) chance
> that someone starts to depend on it in the interim. Basically since afaik
> nobody even uses it (Crate did for awhile and I had to disable it because
> of false failures) the risk is minimal to removing it outright to prevent it from
> being used.
>
> Plus if the secret key has leaked (unlikely but possible given the implementation
> and the use of DSA) it's not just "cruft" it's outright dangerous.

That sounds reasonable. Perhaps switch those URLs to return an error
page explaining why they're no longer available, along with a pointer
to PEP 449 and a suggestion to contact distutils-sig if the removal
causes a problem for anyone?

Cheers,
Nick.

-- 
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia