Everything PyPI has should be public

Posted May 25, 2023 15:59 UTC (Thu) by kleptog (subscriber, #1183)
In reply to: Everything PyPI has should be public by geofft
Parent article: PyPI was subpoenaed

> We should really have shared infrastructure where PyPI can send you signed content - and you can send PyPI signed uploads, too - but all anyone knows is the next-hop address, akin to how email handles it. When I'm doing uploads, PyPI needs to know who I am, but not where I'm coming from. And when I'm doing a pip install, PyPI really doesn't need to know that I even exist.

Ironically, this is almost precisely what ISP proxies did. Although its purpose was to save on bandwidth, as a side effect it made everybody form the same ISP indistinguishable at that level. Of course, once you add in user agents it works much less well.

It probably was phased out because it has all the same issues as CGNAT but with more resources.

Everything PyPI has should be public

Posted May 25, 2023 16:14 UTC (Thu) by farnz (subscriber, #17727) [Link]

It also didn't interact well with the design of HTTPS. The ISP proxy was a deliberate MitM, and there's no good way in HTTPS for a proxy to do anything more sophisticated than pass the stream through. Once you're simply relaying HTTPS to the origins, the proxy becomes of low value - no better than a SOCKS5 proxy, for those who remember using those to escape firewalls.