On Sep 4, 2013, at 12:14 PM, Donald Stufft wrote: > > On Sep 4, 2013, at 2:36 PM, Vinay Sajip <vinay_sa...@yahoo.co.uk> wrote: > >> >> >>> Obligatory reminder that we (I) have no intention of supporting pypissh as >>> we move into the Era of Warehouse. >> >> >> >> What *is* the Era of Warehouse, exactly? Is there any documentation which >> defines standards, interfaces etc., or a rough time frame/road map for such >> documentation? What are the deliverables? Is it expected that there could be >> multiple implementations of a standard, or just a single blessed >> implementation that everyone has to use? Does all or most of the discussion >> about Warehouse happen on this list, or does substantive discussion take >> place on some other list somewhere? >> >> Regards, >> >> Vinay Sajip > > Rolling up answers to multiple questions in here. > > 1) Warehouse is the name of the software that will power PyPI 2.0. > 2) Nothing about the future of Warehouse is set in stone and API > breakages and the like will be discussed before hand. > 3) The way the migration was going to work was posted to this list > already > (https://mail.python.org/pipermail/distutils-sig/2013-July/022096.html). > 4) In regards to the PyPISSH I don't know exactly what tooling I want to > replace it with, it might > simply be a saner implementation of SSH Authentication, it might be TLS > Client Certs, > or OAuth Tokens. Personally I'm leaning towards TLS Client Certs and > possibly OAuth > tokens but that will be decided down the road.
To refine my statement, the current server implementation of using opensshd with some authorized_keys trickery is what the infra team is declining to support long term. Something built around Twisted's SSH server impl (for example) could be a suitable replacement since that would be secure by default as opposed to the current system where any failure on our part gives you shell access to the PyPI server. I know of no current issues, but long-term it isn't a position we want to be in in terms of support. --Noah
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
