[Python-checkins] peps: PEP 464: drop the legacy mirror checking API
nick.coghlan
python-checkins at python.org
Tue Mar 4 11:50:40 CET 2014
http://hg.python.org/peps/rev/8daf4ec34acb
changeset: 5397:8daf4ec34acb
user: Nick Coghlan <ncoghlan at gmail.com>
date: Tue Mar 04 20:50:03 2014 +1000
summary:
PEP 464: drop the legacy mirror checking API
files:
pep-0464.txt | 85 ++++++++++++++++++++++++++++++++++++++++
1 files changed, 85 insertions(+), 0 deletions(-)
diff --git a/pep-0464.txt b/pep-0464.txt
new file mode 100644
--- /dev/null
+++ b/pep-0464.txt
@@ -0,0 +1,85 @@
+PEP: 464
+Title: Removal of the PyPI Mirror Authenticity API
+Version: $Revision$
+Last-Modified: $Date$
+Author: Donald Stufft <donald at stufft.io>
+BDFL-Delegate: Richard Jones <richard at python.org>
+Discussions-To: distutils-sig at python.org
+Status: Draft
+Type: Process
+Content-Type: text/x-rst
+Created: 02-Mar-2014
+Post-History: 03-Mar-2014
+Replaces: 381
+
+
+Abstract
+========
+
+This PEP proposes the deprecation and removal of the PyPI Mirror Authenticity
+API, this includes the /serverkey URL and all of the URLs under /serversig.
+
+
+Rationale
+=========
+
+The PyPI mirroring infrastructure (defined in PEP 381) provides a means to
+mirror the content of PyPI used by the automatic installers, and as a component
+of that, it provides a method for verifying the authenticity of the mirrored
+content.
+
+This PEP proposal the removal of this API due to:
+
+* No known implementations that utilize this API are known, this includes
+ `pip <http://www.pip-installer.org/en/latest/>`_ and
+ `setuptools <http://pythonhosted.org//setuptools/>`_.
+* Because this API uses DSA it is vulnerable to leaking the private key if
+ there is *any* bias in the random nonce.
+* This API solves one small corner of the trust problem, however the problem
+ itself is much larger and it would be better to have a fully fledged system,
+ such as `The Update Framework <https://python.org/dev/peps/pep-0458/>`_,
+ instead.
+
+Due to the issues it has and the lack of use it is the opinion of this PEP
+that it does not provide any practical benefit to justify the additional
+complexity.
+
+
+Plan for Deprecation & Removal
+==============================
+
+Immediately upon the acceptance of this PEP the Mirror Authenticity API will
+be considered deprecated and mirroring agents and installation tools should
+stop accessing it.
+
+Instead of actually removing it from the current code base (PyPI 1.0) the
+current work to replace PyPI 1.0 with a new code base (PyPI 2.0) will simply
+not implement this API. This would cause the API to be "removed" when the
+switch from 1.0 to 2.0 occurs.
+
+If PyPI 2.0 has not been deployed in place of PyPI 1.0 by Sept 01 2014 then
+this PEP will be implemented in the PyPI 1.0 code base instead (by removing
+the associated code).
+
+No changes will be required in the installers, however PEP 381 compliant
+mirroring clients, such as
+`bandersnatch <https://pypi.python.org/pypi/bandersnatch/>`_ and
+`pep381client <https://pypi.python.org/pypi/pep381client/>`_ will need to be
+updated to no longer attempt to mirror the /serversig URLs.
+
+
+Copyright
+=========
+
+This document has been placed in the public domain.
+
+
+
+..
+ Local Variables:
+ mode: indented-text
+ indent-tabs-mode: nil
+ sentence-end-double-space: t
+ fill-column: 70
+ coding: utf-8
+ End:
--
Repository URL: http://hg.python.org/peps
More information about the Python-checkins
mailing list