[Python-Dev] Yearly PyPI breakage

tritium-list at sdamon.com tritium-list at sdamon.com
Wed May 4 02:39:51 EDT 2016 

Are you for real?  I honestly do not understand your hostility.

You posted a mean-spirited complaint about a policy that is nearly exactly
two years old, to the wrong list, and call out the people calmly trying to
explain what happened and why, and how you can mitigate it for your own work
and organization.  What do you intend to accomplish?

* PyPI is no longer and index, it is a repository
* The decision to disable the index-only features of PyPI were made 2 years
ago, including pep438 - plenty of time to make alternate arrangements.
* The tooling for hosting your own repository is available, should you
actually need to host the files outside of PyPI
* The tooling exists to use other indexes
* The tooling exists to host your own index that serves your own packages
(that you develop or third party packages that you package for your own
use), that defaults to PyPI for packages not in your own repository

I understand that you are upset that a feature you used was removed; posting
with hostility to a list of people who do not even have control over the
repository is not a legitimate way to solve your problems.

> -----Original Message-----
> From: Python-Dev [mailto:python-dev-bounces+tritium-
> list=sdamon.com at python.org] On Behalf Of Stefan Krah
> Sent: Wednesday, May 04, 2016 00:15
> To: python-dev at python.org
> Subject: Re: [Python-Dev] Yearly PyPI breakage
> 
> 
> > [cut overlong post]
> 
> Glyph,
> 
> nice sneaky way to try to divert from the original issue. Your whole post
> is invalidated by the simple fact that the URL was protected by a hash
> (which I repeatedly asked to be upgraded to sha256).
> 
> This was the official scheme promoted by PEP-438, which you should know.
> But of course your actual intention here is character assassination,
> pretending to "rescue" cdecimal and trying to divert from the fact that
> the transition to PEP 470 was handled suboptimally.
> 
> 
> The very reason for this thread is that the security was silently disabled
> WITHOUT me getting a notification.  What is on PyPI *now* is not what I
> configured!
> 
> 
> Please believe me when I say I do not mean the following to be insulting
--
> people who have done *actual* cryptography to varying degrees often tend
> to focus on the important parts and aren't impressed by regurgitating
> catch phrases like SSL and man-in-the-middle:
> 
>     http://cr.yp.to/ecdh.html
> 
> 
> The amount of security "experts" in the Python community that pontificate
> on any occasion is pretty annoying.  What do you think djb thinks of
Twisted?
> 
> 
> > If anyone wants package-index access to this name to upload Windows or
> manylinux wheels just let me know; however, as this is just a proof of
> concept, I do not intend to maintain it long-term.
> 
> That apparently all you can do:  Move bits from place A to place B and not
> care how long it took to produce them.
> 
> You are a real hero.
> 
> 
> 
> Stefan Krah
> 
> 
> 
> 
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> https://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe: https://mail.python.org/mailman/options/python-dev/tritium-
> list%40sdamon.com

More information about the Python-Dev mailing list