[Catalog-sig] A 90% Solution

holger krekel holger at merlinux.eu
Tue Mar 12 09:21:18 CET 2013 

On Mon, Mar 11, 2013 at 19:04 -0400, PJ Eby wrote:
> Just a thought, but...
> 
> If 90% of PyPI projects do not have any external files to download,
> then, wouldn't it make sense to:

sidenote: we need to verify and clarify the 90/10 ratio.  It would be 
the basis for action/changing pypi-state so we need to have this accurate
and double-checked.

> 1. Add a project-level option to enable or disable the adding of the
> rel="" attribute to /simple links (but not affecting the links in any
> other way)
> 2. Default it to disabled for new projects, and
> 3. Set it to disabled *now* for the 90% of projects that *don't have
> external files*?
>
> If the arguments about banning external links are as valid and
> important as some people claim, wouldn't it make sense to do this part
> *now*, without first requiring a commitment to force the switch to a
> disabled state in the future?

Pre-announcing the step to maintainers is good communication style. 
There is always the issue of bugs in your determination of "external hosting"
or tools that rely on "rel" attributes without us knowing etc.  

> Immediately, 90% of the problem goes away - no random spidering of
> stuff that doesn't contain a link now, but which could be taken over
> by a malicious party in the future, and 90% fewer sites having to be
> up in order for you to build something from PyPI.
> 
> Seems like a serious win to me -- and one that might not even need a PEP.

Yes and no: a PEP-like document is a good place to point people to.

> Next steps after this would be providing tools to help people move
> their files and links, promoting that people switch it off if they no
> longer support the offsite links, educating about security concerns,
> etc.
>
> I really don't understand why the 90% solution isn't *already* the
> consensus position, since it doesn't preclude follow-on efforts
> towards reducing the 10% towards 0%.
>
> And if the problem is so important, why must we keep 90% of the
> problems in place, just so we can keep arguing about censoring the
> 10%?  That doesn't make sense to me.

The idea for only changing the pypi-server side only evolved last week -
so we are not that slow in moving on here :)

cheers,
holger


> 
> To me, if somebody's injured, the first thing you do is clean and
> close the wound, not argue about whether it's a complete solution and
> what might happen days or weeks later.
> 
> Just a thought.
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>

More information about the Catalog-SIG mailing list