New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove direct support for PEP381 Mirrors #1098

Merged
merged 2 commits into from Jul 30, 2013

Conversation

Projects
None yet
3 participants
@dstufft
Member

dstufft commented Jul 29, 2013

  • PEP381 Mirroring support was never fully implemented leaving users of it trivially exploitable to a MITM or malicious mirror operator.
  • 2 out of 6 of the mirrors have been removed from the pool and will never resolve.
  • The remaining mirrors often fall behind
  • The mirrors will likely never be available under HTTPS
  • People who wish to use a mirror of PyPI can still do so by manually specifying a mirror url for --index-url or --extra-index-url which is more flexible, allowing for mirrors to be hosted under any domain.

Additionally Richard has proposed (and I agree with him) demphasizing (and ideally removing) the official public mirrors as they are now more or less superseded by the CDN as well as being a security risk for PyPI itself (an attacker controlling z.pypi.python.org can attack the cookies from pypi.python.org).

@jezdez

View changes

Show outdated Hide outdated pip/cmdoptions.py
@jezdez

View changes

Show outdated Hide outdated CHANGES.txt
@dstufft

This comment has been minimized.

Show comment
Hide comment
@dstufft

dstufft Jul 29, 2013

Member

The CI failure on this PR is limited to Python 2.6 and doesn't appear to be directly related to the changes. I personally consider this PR as having passed the tests based on that.

Member

dstufft commented Jul 29, 2013

The CI failure on this PR is limited to Python 2.6 and doesn't appear to be directly related to the changes. I personally consider this PR as having passed the tests based on that.

Remove direct support for PEP381 Mirrors
* PEP381 Mirroring support was never fully implemented leaving
  users of it trivially exploitable to a MITM or malicious mirror
  operator.
* 2 out of 6 of the mirrors have been removed from the pool and
  will never resolve.
* The remaining mirrors often fall behind
* The mirrors will likely never be available under HTTPS
* People who wish to use a mirror of PyPI can still do so by
  manually specifying a mirror url for --index-url or
  --extra-index-url which is more flexible, allowing for
  mirrors to be hosted under any domain.
@pnasrat

This comment has been minimized.

Show comment
Hide comment
@pnasrat

pnasrat Jul 29, 2013

Contributor

I think with the CDN and the issues above we should certainly deprecate/remove mirror support as is.

Contributor

pnasrat commented Jul 29, 2013

I think with the CDN and the issues above we should certainly deprecate/remove mirror support as is.

jezdez added a commit that referenced this pull request Jul 30, 2013

Merge pull request #1098 from dstufft/remove-mirror-support
Remove direct support for PEP381 Mirrors

@jezdez jezdez merged commit c2b799d into pypa:develop Jul 30, 2013

1 check passed

default The Travis CI build passed
Details

@dstufft dstufft deleted the dstufft:remove-mirror-support branch Jul 30, 2013

doismellburning added a commit to pyroven/django-pyroven that referenced this pull request Jan 7, 2015

Drop pip usage of --use-mirrors
pypa/pip#1098 - unsupported, dangerous, slow,
etc.

JamieMagee added a commit to JamieMagee/praw that referenced this pull request Apr 9, 2015

Remove --use-mirrors flag
This flag has been deprecated in pip for a long time now
pypa/pip#1098

micbou added a commit to micbou/ycmd that referenced this pull request May 18, 2015

Remove deprecated --use-mirrors argument from pip
Pip no longer supports --use-mirrors since version 1.5. See
pypa/pip#1098.

micbou added a commit to micbou/YouCompleteMe that referenced this pull request May 18, 2015

Remove deprecated --use-mirrors argument from pip
Pip no longer supports --use-mirrors since version 1.5. See
pypa/pip#1098.

adamkal added a commit to adamkal/django-environ that referenced this pull request Sep 29, 2015

fredkingham added a commit to openhealthcare/opal-referral that referenced this pull request Nov 10, 2015

FND added a commit to FND/markdown-checklist that referenced this pull request Oct 1, 2016

@madelgi madelgi referenced this pull request Oct 25, 2016

Merged

Fix Travis CI #33

rbubley added a commit to rbubley/pycallgraph that referenced this pull request Mar 15, 2017

Update .travis.yaml
`--use-mirrors` was removed as a `pip` option (pypa/pip#1098)

@rbubley rbubley referenced this pull request Mar 15, 2017

Merged

Update .travis.yaml #168

psolyca added a commit to psolyca/totalopenstation that referenced this pull request Oct 21, 2017

Fix travis build
As per the following: pypa/pip#1098

The --use-mirrors argument for travis.yml was deprecated in 2015.

pip builds for 2.7 used before this change fail during automated
testing with 'no option --use-mirrors'

@psolyca psolyca referenced this pull request Oct 21, 2017

Merged

Fix travis build #75

peldszus added a commit to peldszus/supercell that referenced this pull request Feb 23, 2018

Remove --use-mirrors from travis.yml
* This option to `pip install` is now deprecated.
  See: pypa/pip#1098

aspiers pushed a commit to aspiers/rapport that referenced this pull request Mar 5, 2018

Adam Spiers
remove --use-mirrors option
Apparently this is no longer available:

pypa/pip#1098

@aspiers aspiers referenced this pull request Mar 5, 2018

Merged

fix Travis #42

drotschmann added a commit to retresco/supercell that referenced this pull request Mar 8, 2018

Remove --use-mirrors from travis.yml
* This option to `pip install` is now deprecated.
  See: pypa/pip#1098

scottwoodall pushed a commit to scottwoodall/django-redis that referenced this pull request Mar 22, 2018

JoshRosen added a commit to databricks/spark-pr-dashboard that referenced this pull request Sep 3, 2018

JoshRosen added a commit to databricks/spark-pr-dashboard that referenced this pull request Sep 3, 2018

@jmadler jmadler referenced this pull request Sep 7, 2018

Merged

Get TravisCI back in action #360

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment