[Distutils] Remove the "Mirror Authenticity" API

Richard Jones richard at mechanicalcat.net
Sun Sep 29 08:21:32 CEST 2013 

I've edited the /mirrors page to reflect the new mirroring reality (and
pushed to the repos which I *think* will result in it being pushed to the
server, yes?)


      Richard


On 29 September 2013 16:13, Nick Coghlan <ncoghlan at gmail.com> wrote:

> On 29 September 2013 13:07, Donald Stufft <donald at stufft.io> wrote:
> >
> > On Sep 28, 2013, at 10:16 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
> >
> >> On 29 September 2013 11:10, Noah Kantrowitz <noah at coderanger.net>
> wrote:
> >>> +1
> >>>
> >>> --Noah
> >>
> >> Deprecating it as a consequence of PEP 449 makes sense, but is there
> >> any urgency to dropping it?
> >>
> >> I'm not necessarily opposed to removing it, but what's the specific
> >> *gain* in doing so? If it's just a matter of wanting to skip
> >> implementing it for Warehouse, then I'd say +1 to leaving it out of
> >> the API reimplementation, but I don't yet see the advantage in
> >> removing it from the existing PyPI code base.
> >>
> >> If we do remove it, then it should probably only be after all the old
> >> autodiscovery domain names have been redirected back to the main PyPI
> >> server.
> >>
> >> Cheers,
> >> Nick.
> >>
> >> --
> >> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
> >
> > Well the underlying reason is I think it's a dead end and I don't want to
> > implement it in Warehouse.
> >
> > The reason for wanting to remove it *now* instead of just letting it
> naturally
> > die when Warehouse becomes a thing is to remove the (unlikely) chance
> > that someone starts to depend on it in the interim. Basically since afaik
> > nobody even uses it (Crate did for awhile and I had to disable it because
> > of false failures) the risk is minimal to removing it outright to
> prevent it from
> > being used.
> >
> > Plus if the secret key has leaked (unlikely but possible given the
> implementation
> > and the use of DSA) it's not just "cruft" it's outright dangerous.
>
> That sounds reasonable. Perhaps switch those URLs to return an error
> page explaining why they're no longer available, along with a pointer
> to PEP 449 and a suggestion to contact distutils-sig if the removal
> causes a problem for anyone?
>
> Cheers,
> Nick.
>
> --
> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130929/675407e0/attachment.html>

More information about the Distutils-SIG mailing list