

PyPI Migrated to New Infrastructure - donaldstufft
https://mail.python.org/pipermail/distutils-sig/2014-January/023522.html

======
e12e
Well, great news for pypi. As for using salt -- I thought: "Well, I guess it's
time I had another look, they probably have their security story together now,
after all.".

So I have a look at the "Masterless Quickstart" and "Installation" pages [1,2]
and find:

    
    
       wget -O - http://bootstrap.saltstack.org | sudo sh
    

And the server answering on 443 on that host doesn't have a certificate for
that domain, or the bootstrap script (clearly it's not configured for a ssl
vhost by that that name/id -- through SNI or otherwise).

So, just run some code downloaded over plain http as root on all my servers?
Great plan!

edit: I think I'll stick with Ansible for now.

edit2: For those wanting a look at the salt states, from the thread[3]:

> Where are the states stored?

[https://github.com/python/pypi-salt](https://github.com/python/pypi-salt)

1:
[http://docs.saltstack.com/topics/tutorials/quickstart.html](http://docs.saltstack.com/topics/tutorials/quickstart.html)

2:
[http://docs.saltstack.com/topics/installation/index.html](http://docs.saltstack.com/topics/installation/index.html)

3: [https://mail.python.org/pipermail/distutils-
sig/2014-January...](https://mail.python.org/pipermail/distutils-
sig/2014-January/023531.html)

~~~
jyap
On the Installation page you linked to it clearly mentions:

PLATFORM-SPECIFIC INSTALLATION INSTRUCTIONS

These guides go into detail how to install salt on a given platform.

A QuickStart is just that. Something which serves its purpose as a QuickStart.
If you have security concerns then read the source code or test it out in a
VM.

~~~
e12e
It doesn't change the fact that running code that's downloaded over
http,unverified by any kind of signature, as root -- is a very bad idea, and
just having it there in official documentation for package whose purpose is
managing systems gives me a very poor impression of the projects security
goals.

------
SEJeff
They are using salt to configure their infrastructure now instead of chef,
interesting!

[https://github.com/saltstack/salt](https://github.com/saltstack/salt)

~~~
jonesetc
They felt dirty using a ruby project.

~~~
eberfreitas
Ansible would be another awesome python solution to use in this case.

~~~
donpdonp
as a solo developer doing my own devops, ansible has been fantastic for its
near-zero infrastructure overhead.

------
mrweasel
I'm impressed how little infrastructure they where make due with previously.
PyPI hasn't been too bad considering the backend.

