[Python-checkins] peps: Add additional reasons and explicitly reject the "next steps" of PEP 438

Fri Jun 6 13:57:16 CEST 2014

http://hg.python.org/peps/rev/3128e9d38937
changeset: 5488:3128e9d38937
user: Donald Stufft <donald at stufft.io>
date: Fri Jun 06 07:57:08 2014 -0400
summary:
 Add additional reasons and explicitly reject the "next steps" of PEP 438
files:
 pep-0470.txt | 15 +++++++++++++++
 1 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/pep-0470.txt b/pep-0470.txt
--- a/pep-0470.txt
+++ b/pep-0470.txt
@@ -389,6 +389,9 @@
 hosted.
 * Default to disallowing safely externally hosted files with only a global
 flag to enable them, but disallow unsafely hosted.
+* Continue on the suggested path of PEP 438 and remove the option to unsafely
+ host externally but continue to allow the option to safely host externally.
+
 
 These proposals are rejected because:
 
@@ -454,6 +457,18 @@
 or attempt to deploy to a server where their install will fail again until
 they add the "make it work" flag in their configuration file.
 
+* The URL classification only works for a certain subset of projects, however
+ it does not allow for any project which needs additional restrictions such
+ as Access Controls. This means that there would be two methods of doing the
+ same thing, linking to a file safely and hosting an index. Hosting an index
+ works in all situations and by relying on this we make for a more consistent
+ experience no matter the reason for external hosting.
+
+* The safe external hosting option hampers the ability of PyPI to upgrade it's
+ security infrastructure. For instance if MD5 becomes broken in the future
+ there will be no way for PyPI to upgrade the hashes of the projects which
+ rely on safe external hosting via MD5 while files that are hosted on PyPI
+ can simply be processed over with a new hash function.
 
 Copyright
 =========
-- 
Repository URL: http://hg.python.org/peps
