On Wed, Mar 13, 2013 at 23:43 -0700, Nick Coghlan wrote: > On Wed, Mar 13, 2013 at 5:16 PM, Carl Meyer <[email protected]> wrote: > > There is no "instead of." There are parallel proposals (see the TUF > > thread) to improve the security of the ecosystem, and those proposals > > are not mutually exclusive with this one. If you search the PEP text, > > note that you don't find the words "secure" or "security" anywhere > > within it, or any claims of security achieved by this proposal alone. > > There is a brief mention of MITM attacks, which is relevant to the PEP > > because avoiding external link-crawling does reduce that attack surface, > > even if other proposals will also help with that (even more). > > Right, the changes to provide end-to-end security require more > extensive changes and need to be given appropriate consideration > before we proceed to implementation and deployment. This PEP, > especially with the additional changes you propose here is an > excellent approach to *near term* improvement, as a parallel effort to > the more complex proposals. > > The /simple/ index will also be around for a long time for backwards > compatibility reasons, regardless of any other changes that happen in > the overall distribution ecosystem.
I haven't followed the latest TUF discussions and related docs in depths yet but if those developments will regard "simple/" as a deprecated interface, i think this PEP here should maybe not introduce "simple/-with-externals" as it will just make the situation more complicated for everyone to understand in a few months from now. best, holger > Cheers, > Nick. > > -- > Nick Coghlan | [email protected] | Brisbane, Australia > _______________________________________________ > Catalog-SIG mailing list > [email protected] > http://mail.python.org/mailman/listinfo/catalog-sig > _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
