[Catalog-sig] A 90% Solution

Nick Coghlan ncoghlan at gmail.com
Tue Mar 12 00:50:52 CET 2013 

Richard's in transit at the moment and I'm about to be, but this sounds
worth doing to me.

I say send the pull request :)

Cheers,
Nick.
On 12 Mar 2013 09:42, "Donald Stufft" <donald at stufft.io> wrote:

>
> On Mar 11, 2013, at 7:04 PM, PJ Eby <pje at telecommunity.com> wrote:
>
> > Just a thought, but...
> >
> > If 90% of PyPI projects do not have any external files to download,
> > then, wouldn't it make sense to:
>
> To be accurate it's 90% don't have any files/release available *only*
> externally. Most have external  files to download because it's very rare
> that a project doesn't include an home_page or a download_url, especially
> since distutils complains if you don't.
>
> >
> > 1. Add a project-level option to enable or disable the adding of the
> > rel="" attribute to /simple links (but not affecting the links in any
> > other way)
> > 2. Default it to disabled for new projects, and
> > 3. Set it to disabled *now* for the 90% of projects that *don't have
> > external files*?
>
> +1 except 1. should be to remove the links entirely from the /simple/
> index, not to just remove the rel attribute.
>
> >
> > If the arguments about banning external links are as valid and
> > important as some people claim, wouldn't it make sense to do this part
> > *now*, without first requiring a commitment to force the switch to a
> > disabled state in the future?
> >
> > Immediately, 90% of the problem goes away - no random spidering of
> > stuff that doesn't contain a link now, but which could be taken over
> > by a malicious party in the future, and 90% fewer sites having to be
> > up in order for you to build something from PyPI.
> >
> > Seems like a serious win to me -- and one that might not even need a PEP.
>
> Absolutely, and similar to something I asked Richard at the start of this,
> I'm waiting on an OK from someone with authority that they'd merge such a
> change and I'll have a PR out for it asap after that.
>
> >
> > Next steps after this would be providing tools to help people move
> > their files and links, promoting that people switch it off if they no
> > longer support the offsite links, educating about security concerns,
> > etc.
> >
> > I really don't understand why the 90% solution isn't *already* the
> > consensus position, since it doesn't preclude follow-on efforts
> > towards reducing the 10% towards 0%.
> >
> > And if the problem is so important, why must we keep 90% of the
> > problems in place, just so we can keep arguing about censoring the
> > 10%?  That doesn't make sense to me.
> >
> > To me, if somebody's injured, the first thing you do is clean and
> > close the wound, not argue about whether it's a complete solution and
> > what might happen days or weeks later.
>
> Like I said above, I'm just waiting on an ok that this has a chance of
> landing before bothering to implement it.
>
> >
> > Just a thought.
> > _______________________________________________
> > Catalog-SIG mailing list
> > Catalog-SIG at python.org
> > http://mail.python.org/mailman/listinfo/catalog-sig
>
>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
> DCFA
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130312/3e661b36/attachment-0001.html>

More information about the Catalog-SIG mailing list