[Distutils] PEP 470 Round 2 - Using Multi Index Support for External to PyPI Package File Hosting

Donald Stufft donald at stufft.io
Fri Jun 6 13:58:04 CEST 2014 

I’ve updated the PEP:

http://hg.python.org/peps/rev/3128e9d38937


files:
 pep-0470.txt |  15 +++++++++++++++
 1 files changed, 15 insertions(+), 0 deletions(-)


diff --git a/pep-0470.txt b/pep-0470.txt
--- a/pep-0470.txt
+++ b/pep-0470.txt
@@ -389,6 +389,9 @@
  hosted.
* Default to disallowing safely externally hosted files with only a global
  flag to enable them, but disallow unsafely hosted.
+* Continue on the suggested path of PEP 438 and remove the option to unsafely
+  host externally but continue to allow the option to safely host externally.
+

These proposals are rejected because:

@@ -454,6 +457,18 @@
  or attempt to deploy to a server where their install will fail again until
  they add the "make it work" flag in their configuration file.

+* The URL classification only works for a certain subset of projects, however
+  it does not allow for any project which needs additional restrictions such
+  as Access Controls. This means that there would be two methods of doing the
+  same thing, linking to a file safely and hosting an index. Hosting an index
+  works in all situations and by relying on this we make for a more consistent
+  experience no matter the reason for external hosting.
+
+* The safe external hosting option hampers the ability of PyPI to upgrade it's
+  security infrastructure. For instance if MD5 becomes broken in the future
+  there will be no way for PyPI to upgrade the hashes of the projects which
+  rely on safe external hosting via MD5 while files that are hosted on PyPI
+  can simply be processed over with a new hash function.

Copyright
=========

-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140606/6cc4c509/attachment.sig>

More information about the Distutils-SIG mailing list