On Sep 4, 2013, at 3:19 PM, Noah Kantrowitz <n...@coderanger.net> wrote:
> > On Sep 4, 2013, at 12:14 PM, Donald Stufft wrote: > >> >> On Sep 4, 2013, at 2:36 PM, Vinay Sajip <vinay_sa...@yahoo.co.uk> wrote: >> >>> >>> >>>> Obligatory reminder that we (I) have no intention of supporting pypissh as >>>> we move into the Era of Warehouse. >>> >>> >>> >>> What *is* the Era of Warehouse, exactly? Is there any documentation which >>> defines standards, interfaces etc., or a rough time frame/road map for such >>> documentation? What are the deliverables? Is it expected that there could >>> be multiple implementations of a standard, or just a single blessed >>> implementation that everyone has to use? Does all or most of the discussion >>> about Warehouse happen on this list, or does substantive discussion take >>> place on some other list somewhere? >>> >>> Regards, >>> >>> Vinay Sajip >> >> Rolling up answers to multiple questions in here. >> >> 1) Warehouse is the name of the software that will power PyPI 2.0. >> 2) Nothing about the future of Warehouse is set in stone and API >> breakages and the like will be discussed before hand. >> 3) The way the migration was going to work was posted to this list >> already >> (https://mail.python.org/pipermail/distutils-sig/2013-July/022096.html). >> 4) In regards to the PyPISSH I don't know exactly what tooling I want to >> replace it with, it might >> simply be a saner implementation of SSH Authentication, it might be TLS >> Client Certs, >> or OAuth Tokens. Personally I'm leaning towards TLS Client Certs and >> possibly OAuth >> tokens but that will be decided down the road. > > To refine my statement, the current server implementation of using opensshd > with some authorized_keys trickery is what the infra team is declining to > support long term. Something built around Twisted's SSH server impl (for > example) could be a suitable replacement since that would be secure by > default as opposed to the current system where any failure on our part gives > you shell access to the PyPI server. I know of no current issues, but > long-term it isn't a position we want to be in in terms of support. > > --Noah > > Yes, if SSH Authentication is kept long term it will likely be replaced by an implementation using Twisted on the server side and I dunno what but something that doesn't involve shelling out to a command named ``ssh`` on the client side so that it can work out of the box on more OSs. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
