On Sat, Mar 16, 2013 at 3:15 AM, Nick Coghlan <ncogh...@gmail.com> wrote: > > On 15 Mar 2013 16:16, "Carl Meyer" <c...@oddbird.net> wrote: >> >> tl;dr: I see your points, we'll change the PEP to allow clients to use >> hostnames instead of the rel attributes if they prefer. > > I will veto any such change. Clients MUST NOT assume that the architecture > of the index service will be limited to a single host name, they must > process the explicit metadata provided by the index that indicates which > hosts the index controls. > > Adding a "--trust-indices" flag to make this optional in setuptools would be > fine, but it seems perverse to trust every aspect of an index *except* its > claims to control additional hosts.
Actually, setuptools trusts redirects, so that mechanism is available for splitting the hosted files to another domain. As it stands, though, I don't see a way to support this without introducing confusion. The advantage of using allow-hosts based on the index host is that it *also* specifies what to do with dependency links provided by individual packages; the PEP does not provide any real guidance on this point. So, I have to withdraw my support for the PEP with these recent changes, as it no longer reflects the approach I previously agreed to, and as yet there have been no alternatives proposed to address the user confusion issues (which IMO at least are a big part of the point of having the PEP). Of course, if redirection is required for non-extrapolatable hostnames, or if somebody comes up with a new and brilliant scheme to manage the menage of permissions needed across dependency_links, the index, and general host trusting issues (while remaining comprehensible and predictable to end users), I'll certainly have a look again. But I took the weekend off from this discussion to try to come up with one myself, and so far I've got nothing. _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
