Everything PyPI has should be public

Posted May 26, 2023 15:51 UTC (Fri) by kleptog (subscriber, #1183)
In reply to: Everything PyPI has should be public by farnz
Parent article: PyPI was subpoenaed

That sounds like an incredibly niche use-case. If you're a network engineer at a major internet exchange, sure. But for the vast majority of websites the IP address is never going to be used for for anything other than country determination for statistics, so simply dropping the last octet loses nothing.

You can always think of situations where the full IP gives relevant information. I just don't see the argument, other than inertia, why it should be the default in HTTP logs. The few people for who it is relevant can turn it off.

Everything PyPI has should be public

Posted May 26, 2023 16:04 UTC (Fri) by farnz (subscriber, #17727) [Link]

Sure, but how do you tell a website owner "you're never going to make it big - you might as well drop the last octet" (or /96 suffix in IPv6)?

It's my experience that the people who would lose least from assuming that they're going to stay smallish are the ones who assume that they're going to grow to at least the scale of Amazon.nl - and we then get into a social problem, where Amazon.nl are big enough that they benefit from knowing the full IP and correlating possible problems by close co-operation with Dutch ISPs, and the site owner does not want to know that they're never going to be that big, so they choose products that treat them as Amazon.nl scale, rather than ones that obfuscate part of the IP in storage by default.