On Wed, Mar 13, 2013 at 7:21 AM, holger krekel <hol...@merlinux.eu> wrote: > Hi all, > > after some more discussions and hours spend by Carl Meyer (who is now > co-authoring the PEP) and me, here is a new V3 pre-submit draft. > It is now more ambitious than the previous draft as should be obvious > from the modified abstract (and Carl Meyers and Philip's earlier > interactions on this list). There also are more details of how > the current link-scraping works among other improvements and incorporations > of feedback from discussions here. > > We intend to submit this draft tonight to the PEP editors. > > Feedback now and later remains welcome. I am sure there are issues to > be sorted and clarified, among them the versioning-API suggestion by > Marc-Andre. > > Thanks for everybody's support and feedback so far, > holger
Looks good to me! Setuptools' two releases will probably look like this: 1. Default to externals index, warn when fetching URLs that are not the same host as the index 2. Default to externals index, reject URLs that are not the same host as the index unless --allow-hosts is configured (IOW, default allow-hosts to equal index-url host) That way, external URLs can still be discovered by the user, but the default configuration is still secure. _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig