Add additional reasons and explicitly reject the "next steps" of PEP 438

This commit is contained in:
Donald Stufft 2014-06-06 07:57:08 -04:00
parent 443b0b8f48
commit c70767600e
1 changed files with 15 additions and 0 deletions

View File

@ -389,6 +389,9 @@ This includes:
hosted. hosted.
* Default to disallowing safely externally hosted files with only a global * Default to disallowing safely externally hosted files with only a global
flag to enable them, but disallow unsafely hosted. flag to enable them, but disallow unsafely hosted.
* Continue on the suggested path of PEP 438 and remove the option to unsafely
host externally but continue to allow the option to safely host externally.
These proposals are rejected because: These proposals are rejected because:
@ -454,6 +457,18 @@ These proposals are rejected because:
or attempt to deploy to a server where their install will fail again until or attempt to deploy to a server where their install will fail again until
they add the "make it work" flag in their configuration file. they add the "make it work" flag in their configuration file.
* The URL classification only works for a certain subset of projects, however
it does not allow for any project which needs additional restrictions such
as Access Controls. This means that there would be two methods of doing the
same thing, linking to a file safely and hosting an index. Hosting an index
works in all situations and by relying on this we make for a more consistent
experience no matter the reason for external hosting.
* The safe external hosting option hampers the ability of PyPI to upgrade it's
security infrastructure. For instance if MD5 becomes broken in the future
there will be no way for PyPI to upgrade the hashes of the projects which
rely on safe external hosting via MD5 while files that are hosted on PyPI
can simply be processed over with a new hash function.
Copyright Copyright
========= =========