Also want to make sure the original authors of PEP381 and the mirroring clients are aware of this PEP!
On Mar 5, 2014, at 7:31 PM, Donald Stufft <don...@stufft.io> wrote: > Just a ping on this :) I’m assuming nobody actually cares because it’s an > unused API > but since it was introduced through a PEP I wanted to remove it through a PEP. > > On Mar 4, 2014, at 2:48 PM, Donald Stufft <don...@stufft.io> wrote: > >> Hello! I’d like to propose PEP464, the removal of the PyPI Mirror >> Authenticity API which was originally described in PEP381. >> >> The text of the PEP is below, or it can be viewed online at >> https://python.org/dev/peps/pep-0464/ >> >> PEP: 464 >> Title: Removal of the PyPI Mirror Authenticity API >> Version: $Revision$ >> Last-Modified: $Date$ >> Author: Donald Stufft <don...@stufft.io> >> BDFL-Delegate: Richard Jones <rich...@python.org> >> Discussions-To: distutils-sig@python.org >> Status: Draft >> Type: Process >> Content-Type: text/x-rst >> Created: 02-Mar-2014 >> Post-History: 03-Mar-2014 >> Replaces: 381 >> >> >> Abstract >> ======== >> >> This PEP proposes the deprecation and removal of the PyPI Mirror Authenticity >> API, this includes the /serverkey URL and all of the URLs under /serversig. >> >> >> Rationale >> ========= >> >> The PyPI mirroring infrastructure (defined in PEP 381) provides a means to >> mirror the content of PyPI used by the automatic installers, and as a >> component >> of that, it provides a method for verifying the authenticity of the mirrored >> content. >> >> This PEP proposal the removal of this API due to: >> >> * No known implementations that utilize this API are known, this includes >> `pip <http://www.pip-installer.org/en/latest/>`_ and >> `setuptools <http://pythonhosted.org//setuptools/>`_. >> * Because this API uses DSA it is vulnerable to leaking the private key if >> there is *any* bias in the random nonce. >> * This API solves one small corner of the trust problem, however the problem >> itself is much larger and it would be better to have a fully fledged system, >> such as `The Update Framework <https://python.org/dev/peps/pep-0458/>`_, >> instead. >> >> Due to the issues it has and the lack of use it is the opinion of this PEP >> that it does not provide any practical benefit to justify the additional >> complexity. >> >> >> Plan for Deprecation & Removal >> ============================== >> >> Immediately upon the acceptance of this PEP the Mirror Authenticity API will >> be considered deprecated and mirroring agents and installation tools should >> stop accessing it. >> >> Instead of actually removing it from the current code base (PyPI 1.0) the >> current work to replace PyPI 1.0 with a new code base (PyPI 2.0) will simply >> not implement this API. This would cause the API to be "removed" when the >> switch from 1.0 to 2.0 occurs. >> >> If PyPI 2.0 has not been deployed in place of PyPI 1.0 by Sept 01 2014 then >> this PEP will be implemented in the PyPI 1.0 code base instead (by removing >> the associated code). >> >> No changes will be required in the installers, however PEP 381 compliant >> mirroring clients, such as >> `bandersnatch <https://pypi.python.org/pypi/bandersnatch/>`_ and >> `pep381client <https://pypi.python.org/pypi/pep381client/>`_ will need to be >> updated to no longer attempt to mirror the /serversig URLs. >> >> >> Copyright >> ========= >> >> This document has been placed in the public domain. >> >> ----------------- >> Donald Stufft >> PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA >> >> _______________________________________________ >> Distutils-SIG maillist - Distutils-SIG@python.org >> https://mail.python.org/mailman/listinfo/distutils-sig > > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
