Richard's in transit at the moment and I'm about to be, but this sounds worth doing to me.
I say send the pull request :) Cheers, Nick. On 12 Mar 2013 09:42, "Donald Stufft" <don...@stufft.io> wrote: > > On Mar 11, 2013, at 7:04 PM, PJ Eby <p...@telecommunity.com> wrote: > > > Just a thought, but... > > > > If 90% of PyPI projects do not have any external files to download, > > then, wouldn't it make sense to: > > To be accurate it's 90% don't have any files/release available *only* > externally. Most have external files to download because it's very rare > that a project doesn't include an home_page or a download_url, especially > since distutils complains if you don't. > > > > > 1. Add a project-level option to enable or disable the adding of the > > rel="" attribute to /simple links (but not affecting the links in any > > other way) > > 2. Default it to disabled for new projects, and > > 3. Set it to disabled *now* for the 90% of projects that *don't have > > external files*? > > +1 except 1. should be to remove the links entirely from the /simple/ > index, not to just remove the rel attribute. > > > > > If the arguments about banning external links are as valid and > > important as some people claim, wouldn't it make sense to do this part > > *now*, without first requiring a commitment to force the switch to a > > disabled state in the future? > > > > Immediately, 90% of the problem goes away - no random spidering of > > stuff that doesn't contain a link now, but which could be taken over > > by a malicious party in the future, and 90% fewer sites having to be > > up in order for you to build something from PyPI. > > > > Seems like a serious win to me -- and one that might not even need a PEP. > > Absolutely, and similar to something I asked Richard at the start of this, > I'm waiting on an OK from someone with authority that they'd merge such a > change and I'll have a PR out for it asap after that. > > > > > Next steps after this would be providing tools to help people move > > their files and links, promoting that people switch it off if they no > > longer support the offsite links, educating about security concerns, > > etc. > > > > I really don't understand why the 90% solution isn't *already* the > > consensus position, since it doesn't preclude follow-on efforts > > towards reducing the 10% towards 0%. > > > > And if the problem is so important, why must we keep 90% of the > > problems in place, just so we can keep arguing about censoring the > > 10%? That doesn't make sense to me. > > > > To me, if somebody's injured, the first thing you do is clean and > > close the wound, not argue about whether it's a complete solution and > > what might happen days or weeks later. > > Like I said above, I'm just waiting on an ok that this has a chance of > landing before bothering to implement it. > > > > > Just a thought. > > _______________________________________________ > > Catalog-SIG mailing list > > Catalog-SIG@python.org > > http://mail.python.org/mailman/listinfo/catalog-sig > > > ----------------- > Donald Stufft > PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 > DCFA > > > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG@python.org > http://mail.python.org/mailman/listinfo/catalog-sig > >
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig