iSharkFly-Open
/
python-peps
mirror of https://github.com/python/peps.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
python-peps/pep-0449/index.html

260 lines
16 KiB
HTML
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="color-scheme" content="light dark">
<title>PEP 449 Removal of the PyPI Mirror Auto Discovery and Naming Scheme | peps.python.org</title>
<link rel="shortcut icon" href="../_static/py.png">
<link rel="canonical" href="https://peps.python.org/pep-0449/">
<link rel="stylesheet" href="../_static/style.css" type="text/css">
<link rel="stylesheet" href="../_static/mq.css" type="text/css">
<link rel="stylesheet" href="../_static/pygments.css" type="text/css" media="(prefers-color-scheme: light)" id="pyg-light">
<link rel="stylesheet" href="../_static/pygments_dark.css" type="text/css" media="(prefers-color-scheme: dark)" id="pyg-dark">
<link rel="alternate" type="application/rss+xml" title="Latest PEPs" href="https://peps.python.org/peps.rss">
<meta property="og:title" content='PEP 449 Removal of the PyPI Mirror Auto Discovery and Naming Scheme | peps.python.org'>
<meta property="og:description" content="This PEP provides a path to deprecate and ultimately remove the auto discovery of PyPI mirrors as well as the hard coded naming scheme which requires delegating a domain name under pypi.python.org to a third party.">
<meta property="og:type" content="website">
<meta property="og:url" content="https://peps.python.org/pep-0449/">
<meta property="og:site_name" content="Python Enhancement Proposals (PEPs)">
<meta property="og:image" content="https://peps.python.org/_static/og-image.png">
<meta property="og:image:alt" content="Python PEPs">
<meta property="og:image:width" content="200">
<meta property="og:image:height" content="200">
<meta name="description" content="This PEP provides a path to deprecate and ultimately remove the auto discovery of PyPI mirrors as well as the hard coded naming scheme which requires delegating a domain name under pypi.python.org to a third party.">
<meta name="theme-color" content="#3776ab">
</head>
<body>
<svg xmlns="http://www.w3.org/2000/svg" style="display: none;">
<symbol id="svg-sun-half" viewBox="0 0 24 24" pointer-events="all">
<title>Following system colour scheme</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="9"></circle>
<path d="M12 3v18m0-12l4.65-4.65M12 14.3l7.37-7.37M12 19.6l8.85-8.85"></path>
</svg>
</symbol>
<symbol id="svg-moon" viewBox="0 0 24 24" pointer-events="all">
<title>Selected dark colour scheme</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<path stroke="none" d="M0 0h24v24H0z" fill="none"></path>
<path d="M12 3c.132 0 .263 0 .393 0a7.5 7.5 0 0 0 7.92 12.446a9 9 0 1 1 -8.313 -12.454z"></path>
</svg>
</symbol>
<symbol id="svg-sun" viewBox="0 0 24 24" pointer-events="all">
<title>Selected light colour scheme</title>
<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" fill="none"
stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="5"></circle>
<line x1="12" y1="1" x2="12" y2="3"></line>
<line x1="12" y1="21" x2="12" y2="23"></line>
<line x1="4.22" y1="4.22" x2="5.64" y2="5.64"></line>
<line x1="18.36" y1="18.36" x2="19.78" y2="19.78"></line>
<line x1="1" y1="12" x2="3" y2="12"></line>
<line x1="21" y1="12" x2="23" y2="12"></line>
<line x1="4.22" y1="19.78" x2="5.64" y2="18.36"></line>
<line x1="18.36" y1="5.64" x2="19.78" y2="4.22"></line>
</svg>
</symbol>
</svg>
<script>
document.documentElement.dataset.colour_scheme = localStorage.getItem("colour_scheme") || "auto"
</script>
<section id="pep-page-section">
<header>
<h1>Python Enhancement Proposals</h1>
<ul class="breadcrumbs">
<li><a href="https://www.python.org/" title="The Python Programming Language">Python</a> &raquo; </li>
<li><a href="../pep-0000/">PEP Index</a> &raquo; </li>
<li>PEP 449</li>
</ul>
<button id="colour-scheme-cycler" onClick="setColourScheme(nextColourScheme())">
<svg aria-hidden="true" class="colour-scheme-icon-when-auto"><use href="#svg-sun-half"></use></svg>
<svg aria-hidden="true" class="colour-scheme-icon-when-dark"><use href="#svg-moon"></use></svg>
<svg aria-hidden="true" class="colour-scheme-icon-when-light"><use href="#svg-sun"></use></svg>
<span class="visually-hidden">Toggle light / dark / auto colour theme</span>
</button>
</header>
<article>
<section id="pep-content">
<h1 class="page-title">PEP 449 Removal of the PyPI Mirror Auto Discovery and Naming Scheme</h1>
<dl class="rfc2822 field-list simple">
<dt class="field-odd">Author<span class="colon">:</span></dt>
<dd class="field-odd">Donald Stufft &lt;donald&#32;&#97;t&#32;stufft.io&gt;</dd>
<dt class="field-even">BDFL-Delegate<span class="colon">:</span></dt>
<dd class="field-even">Richard Jones &lt;richard&#32;&#97;t&#32;python.org&gt;</dd>
<dt class="field-odd">Discussions-To<span class="colon">:</span></dt>
<dd class="field-odd"><a class="reference external" href="https://mail.python.org/archives/list/distutils-sig&#64;python.org/">Distutils-SIG list</a></dd>
<dt class="field-even">Status<span class="colon">:</span></dt>
<dd class="field-even"><abbr title="Accepted and implementation complete, or no longer active">Final</abbr></dd>
<dt class="field-odd">Type<span class="colon">:</span></dt>
<dd class="field-odd"><abbr title="Normative PEP describing or proposing a change to a Python community process, workflow or governance">Process</abbr></dd>
<dt class="field-even">Topic<span class="colon">:</span></dt>
<dd class="field-even"><a class="reference external" href="../topic/packaging/">Packaging</a></dd>
<dt class="field-odd">Created<span class="colon">:</span></dt>
<dd class="field-odd">04-Aug-2013</dd>
<dt class="field-even">Post-History<span class="colon">:</span></dt>
<dd class="field-even">04-Aug-2013</dd>
<dt class="field-odd">Replaces<span class="colon">:</span></dt>
<dd class="field-odd"><a class="reference external" href="../pep-0381/">381</a></dd>
<dt class="field-even">Resolution<span class="colon">:</span></dt>
<dd class="field-even"><a class="reference external" href="https://mail.python.org/pipermail/distutils-sig/2013-August/022518.html">Distutils-SIG message</a></dd>
</dl>
<hr class="docutils" />
<section id="contents">
<details><summary>Table of Contents</summary><ul class="simple">
<li><a class="reference internal" href="#abstract">Abstract</a></li>
<li><a class="reference internal" href="#rationale">Rationale</a></li>
<li><a class="reference internal" href="#plan-for-deprecation-removal">Plan for Deprecation &amp; Removal</a><ul>
<li><a class="reference internal" href="#why-feb-15th-2014">Why Feb 15th, 2014</a></li>
<li><a class="reference internal" href="#why-the-dns-entries-must-be-removed">Why the DNS entries must be removed</a></li>
</ul>
</li>
<li><a class="reference internal" href="#public-or-private-mirrors">Public or Private Mirrors</a></li>
<li><a class="reference internal" href="#copyright">Copyright</a></li>
</ul>
</details></section>
<section id="abstract">
<h2><a class="toc-backref" href="#abstract" role="doc-backlink">Abstract</a></h2>
<p>This PEP provides a path to deprecate and ultimately remove the auto discovery
of PyPI mirrors as well as the hard coded naming scheme which requires
delegating a domain name under pypi.python.org to a third party.</p>
</section>
<section id="rationale">
<h2><a class="toc-backref" href="#rationale" role="doc-backlink">Rationale</a></h2>
<p>The PyPI mirroring infrastructure (defined in <a class="pep reference internal" href="../pep-0381/" title="PEP 381 Mirroring infrastructure for PyPI">PEP 381</a>) provides a means to
mirror the content of PyPI used by the automatic installers. It also provides
a method for auto discovery of mirrors and a consistent naming scheme.</p>
<p>There are a number of problems with the auto discovery protocol and the
naming scheme:</p>
<ul class="simple">
<li>They give control over a *.python.org domain name to a third party,
allowing that third party to set or read cookies on the pypi.python.org and
python.org domain name.</li>
<li>The use of a sub domain of pypi.python.org means that the mirror operators
will never be able to get a SSL certificate of their own, and giving them
one for a python.org domain name is unlikely to happen.</li>
<li>The auto discovery uses an unauthenticated protocol (DNS).</li>
<li>The lack of a TLS certificate on these domains means that clients can not
be sure that they have not been a victim of DNS poisoning or a MITM attack.</li>
<li>The auto discovery protocol was designed to enable a client to automatically
select a mirror for use. This is no longer a requirement because the CDN
that PyPI is now using a globally distributed network of servers which will
automatically select one close to the client without any effort on the
clients part.</li>
<li>The auto discovery protocol and use of the consistent naming scheme has only
ever been implemented by one installer (pip), and its implementation, besides
being insecure, has serious issues with performance and is slated for removal
with its next release (1.5).</li>
<li>While there are provisions in <a class="pep reference internal" href="../pep-0381/" title="PEP 381 Mirroring infrastructure for PyPI">PEP 381</a> that would solve <em>some</em> of these
issues for a dedicated client it would not solve the issues that affect a
users browser. Additionally these provisions have not been implemented by
any installer to date.</li>
</ul>
<p>Due to the number of issues, some of them very serious, and the CDN which
provides most of the benefit of the auto discovery and consistent naming scheme
this PEP proposes to first deprecate and then remove the [a..z].pypi.python.org
names for mirrors and the last.pypi.python.org name for the auto discovery
protocol. The ability to mirror and the method of mirror will not be affected
and will continue to exist as written in <a class="pep reference internal" href="../pep-0381/" title="PEP 381 Mirroring infrastructure for PyPI">PEP 381</a>. Operators of existing
mirrors are encouraged to acquire their own domains and certificates to use for
their mirrors if they wish to continue hosting them.</p>
</section>
<section id="plan-for-deprecation-removal">
<h2><a class="toc-backref" href="#plan-for-deprecation-removal" role="doc-backlink">Plan for Deprecation &amp; Removal</a></h2>
<p>Immediately upon acceptance of this PEP documentation on PyPI will be updated
to reflect the deprecated nature of the official public mirrors and will
direct users to external resources like <a class="reference external" href="http://www.pypi-mirrors.org/">http://www.pypi-mirrors.org/</a> to
discover unofficial public mirrors if they wish to use one.</p>
<p>Mirror operators, if they wish to continue operating their mirror, should
acquire a domain name to represent their mirror and, if they are able, a TLS
certificate. Once they have acquired a domain they should redirect their
assigned N.pypi.python.org domain name to their new domain. On Feb 15th, 2014
the DNS entries for [a..z].pypi.python.org and last.pypi.python.org will be
removed. At any time prior to Feb 15th, 2014 a mirror operator may request
that their domain name be reclaimed by PyPI and pointed back at the master.</p>
<section id="why-feb-15th-2014">
<h3><a class="toc-backref" href="#why-feb-15th-2014" role="doc-backlink">Why Feb 15th, 2014</a></h3>
<p>The most critical decision of this PEP is the final cut off date. If the date
is too soon then it needlessly punishes people by forcing them to drop
everything to update their deployment scripts. If the date is too far away then
the extended period of time does not help with the migration effort and merely
puts off the migration until a later date.</p>
<p>The date of Feb 15th, 2014 has been chosen because it is roughly 6 months from
the date of the PEP. This should ensure a lengthy period of time to enable
people to update their deployment procedures to point to the new domains names
without merely padding the cut off date.</p>
</section>
<section id="why-the-dns-entries-must-be-removed">
<h3><a class="toc-backref" href="#why-the-dns-entries-must-be-removed" role="doc-backlink">Why the DNS entries must be removed</a></h3>
<p>While it would be possible to simply reclaim the domain names used in mirror
and direct them back at PyPI in order to prevent users from needing to update
configurations to point away from those domains this has a number of issues.</p>
<ul class="simple">
<li>Anyone who currently has these names hard coded in their configuration has
them hard coded as HTTP. This means that by allowing these names to continue
resolving we make it simple for a MITM operator to attack users by rewriting
the redirect to HTTPS prior to giving it to the client.</li>
<li>The overhead of maintaining several domains pointing at PyPI has proved
troublesome for the small number of N.pypi.python.org domains that have
already been reclaimed. They oftentimes get mis-configured when things
change on the service which often leaves them broken for months at a time
until somebody notices. By leaving them in we leave users of these domains
open to random breakages which are less likely to get caught or noticed.</li>
<li>People using these domains have explicitly chosen to use them for one reason
or another. One such reason may be because they do not wish to deploy from
a host located in a particular country. If these domains continue to resolve
but do not point at their existing locations we have silently removed this
choice from the existing users of those domains.</li>
</ul>
<p>That being said, removing the entries <em>will</em> require users who have modified
their configuration to either point back at the master (PyPI) or select a new
mirror name to point at. This is regarded as a regrettable requirement to
protect PyPI itself and the users of the mirrors from the attacks outlined
above or, at the very least, require them to make an informed decision about
the insecurity.</p>
</section>
</section>
<section id="public-or-private-mirrors">
<h2><a class="toc-backref" href="#public-or-private-mirrors" role="doc-backlink">Public or Private Mirrors</a></h2>
<p>The mirroring protocol will continue to exist as defined in <a class="pep reference internal" href="../pep-0381/" title="PEP 381 Mirroring infrastructure for PyPI">PEP 381</a> and
people are encouraged to host public and private mirrors if they so desire.
The recommended mirroring client is <a class="reference external" href="https://pypi.python.org/pypi/bandersnatch">Bandersnatch</a>.</p>
</section>
<section id="copyright">
<h2><a class="toc-backref" href="#copyright" role="doc-backlink">Copyright</a></h2>
<p>This document has been placed in the public domain.</p>
</section>
</section>
<hr class="docutils" />
<p>Source: <a class="reference external" href="https://github.com/python/peps/blob/main/peps/pep-0449.rst">https://github.com/python/peps/blob/main/peps/pep-0449.rst</a></p>
<p>Last modified: <a class="reference external" href="https://github.com/python/peps/commits/main/peps/pep-0449.rst">2023-09-09 17:39:29 GMT</a></p>
</article>
<nav id="pep-sidebar">
<h2>Contents</h2>
<ul>
<li><a class="reference internal" href="#abstract">Abstract</a></li>
<li><a class="reference internal" href="#rationale">Rationale</a></li>
<li><a class="reference internal" href="#plan-for-deprecation-removal">Plan for Deprecation &amp; Removal</a><ul>
<li><a class="reference internal" href="#why-feb-15th-2014">Why Feb 15th, 2014</a></li>
<li><a class="reference internal" href="#why-the-dns-entries-must-be-removed">Why the DNS entries must be removed</a></li>
</ul>
</li>
<li><a class="reference internal" href="#public-or-private-mirrors">Public or Private Mirrors</a></li>
<li><a class="reference internal" href="#copyright">Copyright</a></li>
</ul>
<br>
<a id="source" href="https://github.com/python/peps/blob/main/peps/pep-0449.rst">Page Source (GitHub)</a>
</nav>
</section>
<script src="../_static/colour_scheme.js"></script>
<script src="../_static/wrap_tables.js"></script>
<script src="../_static/sticky_banner.js"></script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink