iSharkFly-Open
/
python-peps
mirror of https://github.com/python/peps.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

PEP 464: drop the legacy mirror checking API

This commit is contained in:
Nick Coghlan 2014-03-04 20:50:03 +10:00
parent 5a49cbbf52
commit fc186bfdde
1 changed files with 85 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

85
pep-0464.txt Normal file
View File

@ -0,0 +1,85 @@
PEP: 464
Title: Removal of the PyPI Mirror Authenticity API
Version: $Revision$
Last-Modified: $Date$
Author: Donald Stufft <donald@stufft.io>
BDFL-Delegate: Richard Jones <richard@python.org>
Discussions-To: distutils-sig@python.org
Status: Draft
Type: Process
Content-Type: text/x-rst
Created: 02-Mar-2014
Post-History: 03-Mar-2014
Replaces: 381
Abstract
========
This PEP proposes the deprecation and removal of the PyPI Mirror Authenticity
API, this includes the /serverkey URL and all of the URLs under /serversig.
Rationale
=========
The PyPI mirroring infrastructure (defined in PEP 381) provides a means to
mirror the content of PyPI used by the automatic installers, and as a component
of that, it provides a method for verifying the authenticity of the mirrored
content.
This PEP proposal the removal of this API due to:
* No known implementations that utilize this API are known, this includes
`pip <http://www.pip-installer.org/en/latest/>`_ and
`setuptools <http://pythonhosted.org//setuptools/>`_.
* Because this API uses DSA it is vulnerable to leaking the private key if
there is *any* bias in the random nonce.
* This API solves one small corner of the trust problem, however the problem
itself is much larger and it would be better to have a fully fledged system,
such as `The Update Framework <https://python.org/dev/peps/pep-0458/>`_,
instead.
Due to the issues it has and the lack of use it is the opinion of this PEP
that it does not provide any practical benefit to justify the additional
complexity.
Plan for Deprecation & Removal
==============================
Immediately upon the acceptance of this PEP the Mirror Authenticity API will
be considered deprecated and mirroring agents and installation tools should
stop accessing it.
Instead of actually removing it from the current code base (PyPI 1.0) the
current work to replace PyPI 1.0 with a new code base (PyPI 2.0) will simply
not implement this API. This would cause the API to be "removed" when the
switch from 1.0 to 2.0 occurs.
If PyPI 2.0 has not been deployed in place of PyPI 1.0 by Sept 01 2014 then
this PEP will be implemented in the PyPI 1.0 code base instead (by removing
the associated code).
No changes will be required in the installers, however PEP 381 compliant
mirroring clients, such as
`bandersnatch <https://pypi.python.org/pypi/bandersnatch/>`_ and
`pep381client <https://pypi.python.org/pypi/pep381client/>`_ will need to be
updated to no longer attempt to mirror the /serversig URLs.
Copyright
=========
This document has been placed in the public domain.
..
Local Variables:
mode: indented-text
indent-tabs-mode: nil
sentence-end-double-space: t
fill-column: 70
coding: utf-8
End: