This PEP provides a path to deprecate and ultimately remove the auto discoveryof PyPI mirrors as well as the hard coded naming scheme which requiresdelegating a domain name under pypi.python.org to a third party.
The PyPI mirroring infrastructure (defined inPEP 381) provides a means tomirror the content of PyPI used by the automatic installers. It also providesa method for auto discovery of mirrors and a consistent naming scheme.
There are a number of problems with the auto discovery protocol and thenaming scheme:
Due to the number of issues, some of them very serious, and the CDN whichprovides most of the benefit of the auto discovery and consistent naming schemethis PEP proposes to first deprecate and then remove the [a..z].pypi.python.orgnames for mirrors and the last.pypi.python.org name for the auto discoveryprotocol. The ability to mirror and the method of mirror will not be affectedand will continue to exist as written inPEP 381. Operators of existingmirrors are encouraged to acquire their own domains and certificates to use fortheir mirrors if they wish to continue hosting them.
Immediately upon acceptance of this PEP documentation on PyPI will be updatedto reflect the deprecated nature of the official public mirrors and willdirect users to external resources likehttp://www.pypi-mirrors.org/ todiscover unofficial public mirrors if they wish to use one.
Mirror operators, if they wish to continue operating their mirror, shouldacquire a domain name to represent their mirror and, if they are able, a TLScertificate. Once they have acquired a domain they should redirect theirassigned N.pypi.python.org domain name to their new domain. On Feb 15th, 2014the DNS entries for [a..z].pypi.python.org and last.pypi.python.org will beremoved. At any time prior to Feb 15th, 2014 a mirror operator may requestthat their domain name be reclaimed by PyPI and pointed back at the master.
The most critical decision of this PEP is the final cut off date. If the dateis too soon then it needlessly punishes people by forcing them to dropeverything to update their deployment scripts. If the date is too far away thenthe extended period of time does not help with the migration effort and merelyputs off the migration until a later date.
The date of Feb 15th, 2014 has been chosen because it is roughly 6 months fromthe date of the PEP. This should ensure a lengthy period of time to enablepeople to update their deployment procedures to point to the new domains nameswithout merely padding the cut off date.
While it would be possible to simply reclaim the domain names used in mirrorand direct them back at PyPI in order to prevent users from needing to updateconfigurations to point away from those domains this has a number of issues.
That being said, removing the entrieswill require users who have modifiedtheir configuration to either point back at the master (PyPI) or select a newmirror name to point at. This is regarded as a regrettable requirement toprotect PyPI itself and the users of the mirrors from the attacks outlinedabove or, at the very least, require them to make an informed decision aboutthe insecurity.
The mirroring protocol will continue to exist as defined inPEP 381 andpeople are encouraged to host public and private mirrors if they so desire.The recommended mirroring client isBandersnatch.
This document has been placed in the public domain.
Source:https://github.com/python/peps/blob/main/peps/pep-0449.rst
Last modified:2025-02-01 08:59:27 GMT