[Catalog-sig] Deprecate External Links

Ronald Oussoren ronaldoussoren at mac.com
Wed Feb 27 17:30:23 CET 2013 

On 27 Feb, 2013, at 16:42, Donald Stufft <donald.stufft at gmail.com> wrote:

> On Wednesday, February 27, 2013 at 10:39 AM, M.-A. Lemburg wrote:
>> -1.
>> 
>> There are many reasons for not hosting packages and distributions
>> on PyPI itself.
>> 
>> If you use and trust a package, you also have to know and trust its
>> dependencies, no matter where they are hosted, so you're not gaining
>> any security by disabling links to other download locations: if
>> you don't trust the way a package is hosted, you don't use it; if
>> you do, then removing the link breaks the package and all its
>> dependencies.
> You also have to know and trust the hosting locations for all of them, and
> if they are not available via SSL you have to know and trust that there is
> not a MITM available. 

The security bits are still in flux, AFAIK both proposals won't require SSL for the 
actual download to be secure.

>> 
>> Instead of suggesting to removing support for externally hosted packages,
>> why not propose a mechanism to provide a more direct/secure way to
>> reference them ?
> I did mention a method for doing that in my email. However there are reasons
> beyond the security ones to require packages being hosted on PyPI. Namely
> uptime, privacy, and performance.

You only mentioned restricting downloads to the 'Download-URL' property in the 
package metadata. Another alternative would be to add a PyPI API for registering
specific downloads with the same restrictions on filenames as for files hosted 
by PyPI itself.  With that PyPI could be queried for the exact downloads associated
with a release instead of having to perform screen scaping.

At this time I don't know if requiring that files are hosted on PyPI is a good idea,
as Marc-Andre said there are reasons for hosting them elsewhere.  That might
change when the package signing infrastructure is further specified.

Ronald

P.S. And only using downloads hosted on PyPI doesn't require changes to PyPI
anyway, just patches to pip and setuptools :-)

> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130227/2b8d7e8a/attachment.html>

More information about the Catalog-SIG mailing list