oups, forgot to cc to the list On Fri, Mar 21, 2008 at 12:28 AM, Tarek Ziadé <[EMAIL PROTECTED]> wrote:
> > > On Thu, Mar 20, 2008 at 9:42 PM, Jeff Rush <[EMAIL PROTECTED]> wrote: > > > Tarek Ziadé wrote: > > > > > > On Thu, Mar 20, 2008 at 12:17 AM, Jeff Rush <[EMAIL PROTECTED] > > > > > > - move to https/ssl > > > > > > There are a few problems in this area, also related to indexing > > > we need to work out imho: > > > > > > When a package defines a https://... link into the url meta-data, the > > > link will > > > be added in the Simple index besides other links. For instance, people > > > that uses sourceforge can have such urls. Even if the package egg or > > tarball > > > is available at PyPI, the home page url will appear at #1 on the index > > page. > > > > > > This will make tools like easy_install read this link before it > > reaches > > > the egg/tarball. > > > > > > This is OK as long as the users behind the firewalls are allowed to > > call > > > htppS... > > > > It's not clear to me the correct behavior - help me understand: > > > > 1. Are there firewall policies that block *all* https access? I've > > only encountered more fine-grained firewalls because, to me, use > > of https for _some_ sites is a necessary and expected behavior. > > > That happened last week for a developer on one project at a customer > place. I am not saying it is the right behavior, but that's how I found > the problem. > > Now maybe that such a firewall is too restrictive anyway to allow the > usage of a web based repository such as PyPI > > > > 2. If we moved PyPI to serve exclusively over https, for integrity > > reasons, would this have a major negative impact? > > > > Related to 1. I guess it is a choice. As long as it is easy to > created mirrors of PyPI. That's what we do in some projects. > > Now for https, like Dave says, we cannot create at this time > a robust auth handler for it, and our PyPI implementation uses http auth. > > So if this patch is pushed it is very cool :) > > > > 3. Would it be better to sort the URLs, to place the https ones at > > the end, a and allow a fetch error to occur, or provide a > > .distutils config option to just quietly skip https sites? > > > I think ordering the URLs and puting the *.egg, *.tar.gz, etc.. > at first would be good yes, as easy_install fetches them in order. > > It will also make the system quicker I think, if easy_install > would not fetch external home URLs when the right packages > are available on the page. > > Maybe those could be dropped when the dists are uploaded > That's what I am doing on the PyPI server I work on. > > > > > 4. Is it not a problem that, when checking for newer versions, > > setuptools would be unable to access a newer version on an > > https site and would have to settle for an older version > > on a non-https site, leading to stale packages? > > > > Good point. But I guess that as long as the system allows > external urls, we can't prevent from such failures. > > We have some mirrors for that as a matter of fact, > not to rely on third party servers that are sometimes down > or moving things around. > > > > > > > > -Jeff > > > > >
_______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
