On Mar 11, 2013, at 7:04 PM, PJ Eby <p...@telecommunity.com> wrote: > Just a thought, but... > > If 90% of PyPI projects do not have any external files to download, > then, wouldn't it make sense to:
To be accurate it's 90% don't have any files/release available *only* externally. Most have external files to download because it's very rare that a project doesn't include an home_page or a download_url, especially since distutils complains if you don't. > > 1. Add a project-level option to enable or disable the adding of the > rel="" attribute to /simple links (but not affecting the links in any > other way) > 2. Default it to disabled for new projects, and > 3. Set it to disabled *now* for the 90% of projects that *don't have > external files*? +1 except 1. should be to remove the links entirely from the /simple/ index, not to just remove the rel attribute. > > If the arguments about banning external links are as valid and > important as some people claim, wouldn't it make sense to do this part > *now*, without first requiring a commitment to force the switch to a > disabled state in the future? > > Immediately, 90% of the problem goes away - no random spidering of > stuff that doesn't contain a link now, but which could be taken over > by a malicious party in the future, and 90% fewer sites having to be > up in order for you to build something from PyPI. > > Seems like a serious win to me -- and one that might not even need a PEP. Absolutely, and similar to something I asked Richard at the start of this, I'm waiting on an OK from someone with authority that they'd merge such a change and I'll have a PR out for it asap after that. > > Next steps after this would be providing tools to help people move > their files and links, promoting that people switch it off if they no > longer support the offsite links, educating about security concerns, > etc. > > I really don't understand why the 90% solution isn't *already* the > consensus position, since it doesn't preclude follow-on efforts > towards reducing the 10% towards 0%. > > And if the problem is so important, why must we keep 90% of the > problems in place, just so we can keep arguing about censoring the > 10%? That doesn't make sense to me. > > To me, if somebody's injured, the first thing you do is clean and > close the wound, not argue about whether it's a complete solution and > what might happen days or weeks later. Like I said above, I'm just waiting on an ok that this has a chance of landing before bothering to implement it. > > Just a thought. > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG@python.org > http://mail.python.org/mailman/listinfo/catalog-sig ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig