On Jul 25, 2013, at 2:14 AM, Noah Kantrowitz <n...@coderanger.net> wrote:
> > On Jul 24, 2013, at 10:38 PM, Richard Jones wrote: > >> Hi all, >> >> I've just been contacted by someone who's set up a new public mirror >> of PyPI and would like it integrated into the mirror ecosystem. >> >> I think it's probably time we thought about how to demote the mirrors: >> >> - they cause problems with security (being under the python.org domain >> causes various issues including inability to use HTTPS and cookie >> issues) >> - they're no longer necessary thanks to the CDN work >> >> So, things to do: >> >> - links and information on PyPI itself can be removed >> - tools that use mirrors still need to be able to but mention of using >> public mirrors is probably something to demote >> >> These are just rough thoughts that occurred to me just now. > > +1, as envoy of infrastructure team we would like to formally retire the > [a-z].pypi.python.org names. Anyone with an existing mirror should be > encouraged to continue maintaining it, but it will be for their own use (or > the use of their company/internal network). > > --Noah > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > http://mail.python.org/mailman/listinfo/distutils-sig +1 as well. 2/6 of the mirrors are gone already and I don't think anyone actually implemented the mirror authenticity protocol so afaik installing from mirrors is completely insecure since it's all via HTTP and moving to HTTPS would require getting SSL certs for each specific one which isn't likely to be something that we can do. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
