Donald Stufft <donald <at> stufft.io> writes: > >> > >> Rolling up answers to multiple questions in here. > >> > >> 1) Warehouse is the name of the software that will power PyPI 2.0. > >> 2) Nothing about the future of Warehouse is set in stone and API > >> breakages and the like will be discussed before hand. > >> 3) The way the migration was going to work was posted to this list > >> already (https://mail.python.org/pipermail/distutils-sig/2013-July/022096.html). > >> 4) In regards to the PyPISSH I don't know exactly what tooling I want to replace it with, it might > >> simply be a saner implementation of SSH Authentication, it might be TLS Client Certs, > >> or OAuth Tokens. Personally I'm leaning towards TLS Client Certs and possibly OAuth > >> tokens but that will be decided down the road. > > > > To refine my statement, the current server implementation of using opensshd with some authorized_keys > trickery is what the infra team is declining to support long term. Something built around Twisted's SSH > server impl (for example) could be a suitable replacement since that would be secure by default as opposed > to the current system where any failure on our part gives you shell access to the PyPI server. I know of no > current issues, but long-term it isn't a position we want to be in in terms of support. > > > > --Noah > > > > > > Yes, if SSH Authentication is kept long term it will likely be replaced by an implementation using Twisted > on the server side and I dunno what but something that doesn't involve shelling out to a command named > ``ssh`` on the client side so that it can work out of the box on more OSs.
Just out of curiosity, does it mean Warehouse is Python 2 software at this point? (thanks for the answers above, by the way. TLS client certs sound ok, especially if you let users choose their CA) Regards Antoine. _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
