[Distutils] Remove the "Mirror Authenticity" API
Richard Jones
richard at mechanicalcat.net
Sun Sep 29 09:58:26 CEST 2013
Er, yeah, sorry, I misspoke there. The change I made to the page just talks
about the DNS being killed off and points to the PEP.
On 29 September 2013 16:44, Donald Stufft <donald at stufft.io> wrote:
> Only the naming scheme is dead, protocol itself is still fine.
>
> On Sep 29, 2013, at 1:52 AM, Richard Jones <richard at mechanicalcat.net>
> wrote:
>
> Like Nick I'm not sure I see the urgency here. I'm going to add a
> deprecation statement to the public mirroring page at /mirrors so it's
> clear that protocol is dead (not just resting).
>
>
> Richard
>
>
> On 29 September 2013 13:07, Donald Stufft <donald at stufft.io> wrote:
>
>>
>> On Sep 28, 2013, at 10:16 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>>
>> > On 29 September 2013 11:10, Noah Kantrowitz <noah at coderanger.net>
>> wrote:
>> >> +1
>> >>
>> >> --Noah
>> >
>> > Deprecating it as a consequence of PEP 449 makes sense, but is there
>> > any urgency to dropping it?
>> >
>> > I'm not necessarily opposed to removing it, but what's the specific
>> > *gain* in doing so? If it's just a matter of wanting to skip
>> > implementing it for Warehouse, then I'd say +1 to leaving it out of
>> > the API reimplementation, but I don't yet see the advantage in
>> > removing it from the existing PyPI code base.
>> >
>> > If we do remove it, then it should probably only be after all the old
>> > autodiscovery domain names have been redirected back to the main PyPI
>> > server.
>> >
>> > Cheers,
>> > Nick.
>> >
>> > --
>> > Nick Coghlan | ncoghlan at gmail.com | Brisbane, Australia
>>
>> Well the underlying reason is I think it's a dead end and I don't want to
>> implement it in Warehouse.
>>
>> The reason for wanting to remove it *now* instead of just letting it
>> naturally
>> die when Warehouse becomes a thing is to remove the (unlikely) chance
>> that someone starts to depend on it in the interim. Basically since afaik
>> nobody even uses it (Crate did for awhile and I had to disable it because
>> of false failures) the risk is minimal to removing it outright to prevent
>> it from
>> being used.
>>
>> Plus if the secret key has leaked (unlikely but possible given the
>> implementation
>> and the use of DSA) it's not just "cruft" it's outright dangerous.
>>
>> -----------------
>> Donald Stufft
>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
>> DCFA
>>
>>
>
>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
> DCFA
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130929/299d66bb/attachment.html>
More information about the Distutils-SIG
mailing list