[Catalog-sig] V3 PEP-draft for transitioning to pypi-hosting of release files

[holger krekel]

On Wed, Mar 13, 2013 at 23:43 -0700, Nick Coghlan wrote:
> On Wed, Mar 13, 2013 at 5:16 PM, Carl Meyer <carl at oddbird.net> wrote:
> > There is no "instead of." There are parallel proposals (see the TUF
> > thread) to improve the security of the ecosystem, and those proposals
> > are not mutually exclusive with this one. If you search the PEP text,
> > note that you don't find the words "secure" or "security" anywhere
> > within it, or any claims of security achieved by this proposal alone.
> > There is a brief mention of MITM attacks, which is relevant to the PEP
> > because avoiding external link-crawling does reduce that attack surface,
> > even if other proposals will also help with that (even more).
> 
> Right, the changes to provide end-to-end security require more
> extensive changes and need to be given appropriate consideration
> before we proceed to implementation and deployment. This PEP,
> especially with the additional changes you propose here is an
> excellent approach to *near term* improvement, as a parallel effort to
> the more complex proposals.
> 
> The /simple/ index will also be around for a long time for backwards
> compatibility reasons, regardless of any other changes that happen in
> the overall distribution ecosystem.

I haven't followed the latest TUF discussions and related docs in
depths yet but if those developments will regard "simple/" as a deprecated
interface, i think this PEP here should maybe not introduce
"simple/-with-externals" as it will just make the situation more 
complicated for everyone to understand in a few months from now.

best,
holger


> Cheers,
> Nick.
> 
> -- 
> Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>