[Distutils] PEP464 - Removal of the PyPI Mirror Authenticity API

Donald Stufft donald at stufft.io
Thu Mar 6 01:31:04 CET 2014

Just a ping on this :) I’m assuming nobody actually cares because it’s an unused API
but since it was introduced through a PEP I wanted to remove it through a PEP.

On Mar 4, 2014, at 2:48 PM, Donald Stufft <donald at stufft.io> wrote:

> Hello! I’d like to propose PEP464, the removal of the PyPI Mirror Authenticity API which was originally described in PEP381.
> The text of the PEP is below, or it can be viewed online at https://python.org/dev/peps/pep-0464/
> PEP: 464
> Title: Removal of the PyPI Mirror Authenticity API
> Version: $Revision$
> Last-Modified: $Date$
> Author: Donald Stufft <donald at stufft.io>
> BDFL-Delegate: Richard Jones <richard at python.org>
> Discussions-To: distutils-sig at python.org
> Status: Draft
> Type: Process
> Content-Type: text/x-rst
> Created: 02-Mar-2014
> Post-History: 03-Mar-2014
> Replaces: 381
> Abstract
> ========
> This PEP proposes the deprecation and removal of the PyPI Mirror Authenticity
> API, this includes the /serverkey URL and all of the URLs under /serversig.
> Rationale
> =========
> The PyPI mirroring infrastructure (defined in PEP 381) provides a means to
> mirror the content of PyPI used by the automatic installers, and as a component
> of that, it provides a method for verifying the authenticity of the mirrored
> content.
> This PEP proposal the removal of this API due to:
> * No known implementations that utilize this API are known, this includes
>  `pip <http://www.pip-installer.org/en/latest/>`_ and
>  `setuptools <http://pythonhosted.org//setuptools/>`_.
> * Because this API uses DSA it is vulnerable to leaking the private key if
>  there is *any* bias in the random nonce.
> * This API solves one small corner of the trust problem, however the problem
>  itself is much larger and it would be better to have a fully fledged system,
>  such as `The Update Framework <https://python.org/dev/peps/pep-0458/>`_,
>  instead.
> Due to the issues it has and the lack of use it is the opinion of this PEP
> that it does not provide any practical benefit to justify the additional
> complexity.
> Plan for Deprecation & Removal
> ==============================
> Immediately upon the acceptance of this PEP the Mirror Authenticity API will
> be considered deprecated and mirroring agents and installation tools should
> stop accessing it.
> Instead of actually removing it from the current code base (PyPI 1.0) the
> current work to replace PyPI 1.0 with a new code base (PyPI 2.0) will simply
> not implement this API. This would cause the API to be "removed" when the
> switch from 1.0 to 2.0 occurs.
> If PyPI 2.0 has not been deployed in place of PyPI 1.0 by Sept 01 2014 then
> this PEP will be implemented in the PyPI 1.0 code base instead (by removing
> the associated code).
> No changes will be required in the installers, however PEP 381 compliant
> mirroring clients, such as
> `bandersnatch <https://pypi.python.org/pypi/bandersnatch/>`_ and
> `pep381client <https://pypi.python.org/pypi/pep381client/>`_ will need to be
> updated to no longer attempt to mirror the /serversig URLs.
> Copyright
> =========
> This document has been placed in the public domain.
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140305/a07a67fb/attachment.sig>

More information about the Distutils-SIG mailing list