[Distutils] PEP464 - Removal of the PyPI Mirror Authenticity API

Donald Stufft donald at stufft.io
Thu Mar 6 01:43:53 CET 2014 

Also want to make sure the original authors of PEP381 and the mirroring clients
are aware of this PEP!

On Mar 5, 2014, at 7:31 PM, Donald Stufft <donald at stufft.io> wrote:

> Just a ping on this :) I’m assuming nobody actually cares because it’s an unused API
> but since it was introduced through a PEP I wanted to remove it through a PEP.
> 
> On Mar 4, 2014, at 2:48 PM, Donald Stufft <donald at stufft.io> wrote:
> 
>> Hello! I’d like to propose PEP464, the removal of the PyPI Mirror Authenticity API which was originally described in PEP381.
>> 
>> The text of the PEP is below, or it can be viewed online at https://python.org/dev/peps/pep-0464/
>> 
>> PEP: 464
>> Title: Removal of the PyPI Mirror Authenticity API
>> Version: $Revision$
>> Last-Modified: $Date$
>> Author: Donald Stufft <donald at stufft.io>
>> BDFL-Delegate: Richard Jones <richard at python.org>
>> Discussions-To: distutils-sig at python.org
>> Status: Draft
>> Type: Process
>> Content-Type: text/x-rst
>> Created: 02-Mar-2014
>> Post-History: 03-Mar-2014
>> Replaces: 381
>> 
>> 
>> Abstract
>> ========
>> 
>> This PEP proposes the deprecation and removal of the PyPI Mirror Authenticity
>> API, this includes the /serverkey URL and all of the URLs under /serversig.
>> 
>> 
>> Rationale
>> =========
>> 
>> The PyPI mirroring infrastructure (defined in PEP 381) provides a means to
>> mirror the content of PyPI used by the automatic installers, and as a component
>> of that, it provides a method for verifying the authenticity of the mirrored
>> content.
>> 
>> This PEP proposal the removal of this API due to:
>> 
>> * No known implementations that utilize this API are known, this includes
>> `pip <http://www.pip-installer.org/en/latest/>`_ and
>> `setuptools <http://pythonhosted.org//setuptools/>`_.
>> * Because this API uses DSA it is vulnerable to leaking the private key if
>> there is *any* bias in the random nonce.
>> * This API solves one small corner of the trust problem, however the problem
>> itself is much larger and it would be better to have a fully fledged system,
>> such as `The Update Framework <https://python.org/dev/peps/pep-0458/>`_,
>> instead.
>> 
>> Due to the issues it has and the lack of use it is the opinion of this PEP
>> that it does not provide any practical benefit to justify the additional
>> complexity.
>> 
>> 
>> Plan for Deprecation & Removal
>> ==============================
>> 
>> Immediately upon the acceptance of this PEP the Mirror Authenticity API will
>> be considered deprecated and mirroring agents and installation tools should
>> stop accessing it.
>> 
>> Instead of actually removing it from the current code base (PyPI 1.0) the
>> current work to replace PyPI 1.0 with a new code base (PyPI 2.0) will simply
>> not implement this API. This would cause the API to be "removed" when the
>> switch from 1.0 to 2.0 occurs.
>> 
>> If PyPI 2.0 has not been deployed in place of PyPI 1.0 by Sept 01 2014 then
>> this PEP will be implemented in the PyPI 1.0 code base instead (by removing
>> the associated code).
>> 
>> No changes will be required in the installers, however PEP 381 compliant
>> mirroring clients, such as
>> `bandersnatch <https://pypi.python.org/pypi/bandersnatch/>`_ and
>> `pep381client <https://pypi.python.org/pypi/pep381client/>`_ will need to be
>> updated to no longer attempt to mirror the /serversig URLs.
>> 
>> 
>> Copyright
>> =========
>> 
>> This document has been placed in the public domain.
>> 
>> -----------------
>> Donald Stufft
>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>> 
>> _______________________________________________
>> Distutils-SIG maillist  -  Distutils-SIG at python.org
>> https://mail.python.org/mailman/listinfo/distutils-sig
> 
> 
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
> 
> _______________________________________________
> Distutils-SIG maillist  -  Distutils-SIG at python.org
> https://mail.python.org/mailman/listinfo/distutils-sig


-----------------
Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20140305/d11310c1/attachment-0001.sig>

More information about the Distutils-SIG mailing list