[Python-checkins] peps: Add additional reasons and explicitly reject the "next steps" of PEP 438

[donald.stufft]

http://hg.python.org/peps/rev/3128e9d38937
changeset:   5488:3128e9d38937
user:        Donald Stufft <donald at stufft.io>
date:        Fri Jun 06 07:57:08 2014 -0400
summary:
  Add additional reasons and explicitly reject the "next steps" of PEP 438

files:
  pep-0470.txt |  15 +++++++++++++++
  1 files changed, 15 insertions(+), 0 deletions(-)


diff --git a/pep-0470.txt b/pep-0470.txt
--- a/pep-0470.txt
+++ b/pep-0470.txt
@@ -389,6 +389,9 @@
   hosted.
 * Default to disallowing safely externally hosted files with only a global
   flag to enable them, but disallow unsafely hosted.
+* Continue on the suggested path of PEP 438 and remove the option to unsafely
+  host externally but continue to allow the option to safely host externally.
+
 
 These proposals are rejected because:
 
@@ -454,6 +457,18 @@
   or attempt to deploy to a server where their install will fail again until
   they add the "make it work" flag in their configuration file.
 
+* The URL classification only works for a certain subset of projects, however
+  it does not allow for any project which needs additional restrictions such
+  as Access Controls. This means that there would be two methods of doing the
+  same thing, linking to a file safely and hosting an index. Hosting an index
+  works in all situations and by relying on this we make for a more consistent
+  experience no matter the reason for external hosting.
+
+* The safe external hosting option hampers the ability of PyPI to upgrade it's
+  security infrastructure. For instance if MD5 becomes broken in the future
+  there will be no way for PyPI to upgrade the hashes of the projects which
+  rely on safe external hosting via MD5 while files that are hosted on PyPI
+  can simply be processed over with a new hash function.
 
 Copyright
 =========

-- 
Repository URL: http://hg.python.org/peps