[prev in list] [next in list] [prev in thread] [next in thread] 

List:       python-distutils-sig
Subject:    Re: [Distutils] Remove the "Mirror Authenticity" API
From:       Richard Jones <richard () mechanicalcat ! net>
Date:       2013-09-29 7:58:26
Message-ID: CAHrZfZANxbmf0jOG1GgW8j4g6aYwoiZ2yg=mdsPq=wyy3-F5hw () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Er, yeah, sorry, I misspoke there. The change I made to the page just talks
about the DNS being killed off and points to the PEP.


On 29 September 2013 16:44, Donald Stufft <donald@stufft.io> wrote:

> Only the naming scheme is dead, protocol itself is still fine.
>
> On Sep 29, 2013, at 1:52 AM, Richard Jones <richard@mechanicalcat.net>
> wrote:
>
> Like Nick I'm not sure I see the urgency here. I'm going to add a
> deprecation statement to the public mirroring page at /mirrors so it's
> clear that protocol is dead (not just resting).
>
>
>     Richard
>
>
> On 29 September 2013 13:07, Donald Stufft <donald@stufft.io> wrote:
>
>>
>> On Sep 28, 2013, at 10:16 PM, Nick Coghlan <ncoghlan@gmail.com> wrote:
>>
>> > On 29 September 2013 11:10, Noah Kantrowitz <noah@coderanger.net>
>> wrote:
>> >> +1
>> >>
>> >> --Noah
>> >
>> > Deprecating it as a consequence of PEP 449 makes sense, but is there
>> > any urgency to dropping it?
>> >
>> > I'm not necessarily opposed to removing it, but what's the specific
>> > *gain* in doing so? If it's just a matter of wanting to skip
>> > implementing it for Warehouse, then I'd say +1 to leaving it out of
>> > the API reimplementation, but I don't yet see the advantage in
>> > removing it from the existing PyPI code base.
>> >
>> > If we do remove it, then it should probably only be after all the old
>> > autodiscovery domain names have been redirected back to the main PyPI
>> > server.
>> >
>> > Cheers,
>> > Nick.
>> >
>> > --
>> > Nick Coghlan   |   ncoghlan@gmail.com   |   Brisbane, Australia
>>
>> Well the underlying reason is I think it's a dead end and I don't want to
>> implement it in Warehouse.
>>
>> The reason for wanting to remove it *now* instead of just letting it
>> naturally
>> die when Warehouse becomes a thing is to remove the (unlikely) chance
>> that someone starts to depend on it in the interim. Basically since afaik
>> nobody even uses it (Crate did for awhile and I had to disable it because
>> of false failures) the risk is minimal to removing it outright to prevent
>> it from
>> being used.
>>
>> Plus if the secret key has leaked (unlikely but possible given the
>> implementation
>> and the use of DSA) it's not just "cruft" it's outright dangerous.
>>
>> -----------------
>> Donald Stufft
>> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
>> DCFA
>>
>>
>
>
> -----------------
> Donald Stufft
> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372
> DCFA
>
>

[Attachment #5 (text/html)]

<div dir="ltr">Er, yeah, sorry, I misspoke there. The change I made to the page just \
talks about the DNS being killed off and points to the PEP.</div><div \
class="gmail_extra"><br><br><div class="gmail_quote">On 29 September 2013 16:44, \
Donald Stufft <span dir="ltr">&lt;<a href="mailto:donald@stufft.io" \
target="_blank">donald@stufft.io</a>&gt;</span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div style="word-wrap:break-word"><div>Only the naming scheme \
is dead, protocol itself is still fine.</div><div><div class="h5"> <br><div><div>On \
Sep 29, 2013, at 1:52 AM, Richard Jones &lt;<a \
href="mailto:richard@mechanicalcat.net" \
target="_blank">richard@mechanicalcat.net</a>&gt; wrote:</div><br><blockquote \
type="cite"><div dir="ltr">Like Nick I&#39;m not sure I see the urgency here. I&#39;m \
going to add a deprecation statement to the public mirroring page at /mirrors so \
it&#39;s clear that protocol is dead (not just resting).<div> <br></div>
<div><br></div><div>    Richard</div></div><div class="gmail_extra"><br><br><div \
class="gmail_quote">On 29 September 2013 13:07, Donald Stufft <span dir="ltr">&lt;<a \
href="mailto:donald@stufft.io" target="_blank">donald@stufft.io</a>&gt;</span> \
wrote:<br>

<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div><br> On Sep 28, 2013, at 10:16 PM, Nick Coghlan &lt;<a \
href="mailto:ncoghlan@gmail.com" target="_blank">ncoghlan@gmail.com</a>&gt; \
wrote:<br> <br>
&gt; On 29 September 2013 11:10, Noah Kantrowitz &lt;<a \
href="mailto:noah@coderanger.net" target="_blank">noah@coderanger.net</a>&gt; \
wrote:<br> &gt;&gt; +1<br>
&gt;&gt;<br>
&gt;&gt; --Noah<br>
&gt;<br>
&gt; Deprecating it as a consequence of PEP 449 makes sense, but is there<br>
&gt; any urgency to dropping it?<br>
&gt;<br>
&gt; I&#39;m not necessarily opposed to removing it, but what&#39;s the specific<br>
&gt; *gain* in doing so? If it&#39;s just a matter of wanting to skip<br>
&gt; implementing it for Warehouse, then I&#39;d say +1 to leaving it out of<br>
&gt; the API reimplementation, but I don&#39;t yet see the advantage in<br>
&gt; removing it from the existing PyPI code base.<br>
&gt;<br>
&gt; If we do remove it, then it should probably only be after all the old<br>
&gt; autodiscovery domain names have been redirected back to the main PyPI<br>
&gt; server.<br>
&gt;<br>
&gt; Cheers,<br>
&gt; Nick.<br>
&gt;<br>
&gt; --<br>
&gt; Nick Coghlan   |   <a href="mailto:ncoghlan@gmail.com" \
target="_blank">ncoghlan@gmail.com</a>   |   Brisbane, Australia<br> <br>
</div>Well the underlying reason is I think it&#39;s a dead end and I don&#39;t want \
to<br> implement it in Warehouse.<br>
<br>
The reason for wanting to remove it *now* instead of just letting it naturally<br>
die when Warehouse becomes a thing is to remove the (unlikely) chance<br>
that someone starts to depend on it in the interim. Basically since afaik<br>
nobody even uses it (Crate did for awhile and I had to disable it because<br>
of false failures) the risk is minimal to removing it outright to prevent it from<br>
being used.<br>
<br>
Plus if the secret key has leaked (unlikely but possible given the implementation<br>
and the use of DSA) it&#39;s not just &quot;cruft&quot; it&#39;s outright \
dangerous.<br> <div><div><br>
-----------------<br>
Donald Stufft<br>
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA<br>
<br>
</div></div></blockquote></div><br></div>
</blockquote></div><br><div>
<br>-----------------<br>Donald Stufft<br>PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B \
6356 A926 F04F 6E3C BCE9 3372 DCFA

</div>
<br></div></div></div></blockquote></div><br></div>



_______________________________________________
Distutils-SIG maillist  -  Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig


[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic