Just a ping on this :) I’m assuming nobody actually cares because it’s an unused API but since it was introduced through a PEP I wanted to remove it through a PEP.
On Mar 4, 2014, at 2:48 PM, Donald Stufft <don...@stufft.io> wrote: > Hello! I’d like to propose PEP464, the removal of the PyPI Mirror > Authenticity API which was originally described in PEP381. > > The text of the PEP is below, or it can be viewed online at > https://python.org/dev/peps/pep-0464/ > > PEP: 464 > Title: Removal of the PyPI Mirror Authenticity API > Version: $Revision$ > Last-Modified: $Date$ > Author: Donald Stufft <don...@stufft.io> > BDFL-Delegate: Richard Jones <rich...@python.org> > Discussions-To: distutils-sig@python.org > Status: Draft > Type: Process > Content-Type: text/x-rst > Created: 02-Mar-2014 > Post-History: 03-Mar-2014 > Replaces: 381 > > > Abstract > ======== > > This PEP proposes the deprecation and removal of the PyPI Mirror Authenticity > API, this includes the /serverkey URL and all of the URLs under /serversig. > > > Rationale > ========= > > The PyPI mirroring infrastructure (defined in PEP 381) provides a means to > mirror the content of PyPI used by the automatic installers, and as a > component > of that, it provides a method for verifying the authenticity of the mirrored > content. > > This PEP proposal the removal of this API due to: > > * No known implementations that utilize this API are known, this includes > `pip <http://www.pip-installer.org/en/latest/>`_ and > `setuptools <http://pythonhosted.org//setuptools/>`_. > * Because this API uses DSA it is vulnerable to leaking the private key if > there is *any* bias in the random nonce. > * This API solves one small corner of the trust problem, however the problem > itself is much larger and it would be better to have a fully fledged system, > such as `The Update Framework <https://python.org/dev/peps/pep-0458/>`_, > instead. > > Due to the issues it has and the lack of use it is the opinion of this PEP > that it does not provide any practical benefit to justify the additional > complexity. > > > Plan for Deprecation & Removal > ============================== > > Immediately upon the acceptance of this PEP the Mirror Authenticity API will > be considered deprecated and mirroring agents and installation tools should > stop accessing it. > > Instead of actually removing it from the current code base (PyPI 1.0) the > current work to replace PyPI 1.0 with a new code base (PyPI 2.0) will simply > not implement this API. This would cause the API to be "removed" when the > switch from 1.0 to 2.0 occurs. > > If PyPI 2.0 has not been deployed in place of PyPI 1.0 by Sept 01 2014 then > this PEP will be implemented in the PyPI 1.0 code base instead (by removing > the associated code). > > No changes will be required in the installers, however PEP 381 compliant > mirroring clients, such as > `bandersnatch <https://pypi.python.org/pypi/bandersnatch/>`_ and > `pep381client <https://pypi.python.org/pypi/pep381client/>`_ will need to be > updated to no longer attempt to mirror the /serversig URLs. > > > Copyright > ========= > > This document has been placed in the public domain. > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig