[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

[Jesse Noller]

> 
> And I've put multiple compromise proposals out there to begin
> mitigating the problem *now* (i.e. for non-updated versions of
> setuptools), and every time, the objection is, "no, we need to ban it
> all now, no discussion, no re-evaluation, no personal choice, everyone
> must do as we say, no argument".
> 
> And I don't understand that, at all.

There's not much to understand: external hosting of packages is *actively harmful*, period. End users of easy_install and pip *don't even realize* 99% of the time that these tools are following links off of PyPi and installing packages from random, probably insecure/non https locations all over the internet. Once they realize it they recoil in terror if they have any understanding of the implications.

Let me put this in different terms: out of the packages using external hosting: can you prove to me that 100% of them aren't compromised machines serving malware, performing MITM attacks, etc? The fact that the end user tools support this is a bug, but one from history. The fact that PyPI continues to support external links on simple/ is inexcusable given that we know that they are an attack vector. 

A simple proof of concept on a popular package hosted off site deployed during PyCon would be terrible, it was bad enough that last year people were trying to MITM due to lack of SSL. 

jesse