Add draft

1 files changed, 92 insertions, 0 deletions

diff --git a/content/posts/2022-06-19-announce-ipwhl.md b/content/posts/2022-06-19-announce-ipwhl.md
new file mode 100644
index 0000000..a1b202e
--- /dev/null
+++ b/content/posts/2022-06-19-announce-ipwhl.md
@@ -0,0 +1,92 @@
+---
+title: "Introducing IPWHL: an alternative Python packaging"
+date: 2022-06-19
+draft: true
+lang: en
+categories: [ announcement ]
+tags: []
+translationKey: "announce-ipwhl"
+---
+
+## What is IPWHL?
+
+The interplanetary wheels (IPWHL) are platform-unique, singly-versioned Python
+built distributions backed by IPFS. It aims to be a downstream wheel supplier
+in a similar fashion to GNU/Linux distributions, whilst take advantage of a
+content-addressing peer-to-peer network to provide a reproducible,
+easy-to-mirror source of packages.
+
+On IPWHL, for each platform (architecture, operating system and Python
+implementation and version), there exists only one single built distribution.
+The collection of these distribution packages are given as a single IPFS CID.
+An installer can use solely this content ID and packages names to reproduce the
+exactly same environment on every platform.
+
+The official IPWHL repository will provide exclusively free software. However,
+deriving the repository should be trivial and is a supported use case.
+
+## Why?
+
+The cheese shop is great, but choosing cheeses from it can often be confusing.
+Dependency resolution is expensive, and version requirements are not
+future-proof. In order to avoid breakage, people usually have to pin packages
+on the installer side, which is redundant and difficult to validate manually.
+Additionally, we believe it is not the packaging users' job to do this; they
+should be able to save their time doing what they do best: writing and using
+software.
+
+Moreover, there are millions of ways for a piece of cheese to rot on the way
+home from the (almost) lawless cheese shop. Everyone can sell at the shop, and
+thus typosquatting is a common exploit. In addition, cheeses from the shop are
+not independently verifiable: the checksums are provided along with the files
+so the shop is the single point of failure for security attacks. There are
+ongoing efforts to integrate TUF into Python packaging toolchain, however it is
+unlikely that they can entirely mitigate this due to the centralized nature of
+the inherent architecture.
+
+Centralization also makes it really difficult for mirrors to be useful for the
+users: the cheese shop is not aware if any of its mirrors, let alone
+redirecting to the closest one. Mirroring is hardly a collaborative effort, one
+either provide everything for an entire region, or give up. On the other hand,
+many organizations host their Python packages and their dependencies on
+dedicated machines running 24/7, but the resources are mostly gone to waste
+when unused by the companies themselves.
+
+IPWHL makes use of IPFS and statically declared and carefully curated metadata
+to try to solve most the listed problems. In addition to providing only one
+wheel version at a time, source distributions are not supplied to avoiding
+executing untrusted code on the users' machine.
+
+## How to package for IPWHL
+
+TBD
+
+## How to use IPWHL?
+
+### Setting up IPFS
+
+IPFS has a well-documented [installation guide](https://docs.ipfs.io/install/).
+It is worth noting that several GNU/Linux distributions and BSD-based OSes may
+have already included it in their repositories.  Afterwards, please follow the
+IPFS quick-start guide. Some downstream go-ipfs packages may also contains a
+init-system service to automatically manage the IPFS daemon. By default, the
+daemon opens a local IPFS gateway at port 8080.
+
+### Use it
+
+To use IPWHL repository, we can simply replace the PyPI URL to the repository
+through an IPFS gateway.  For pip, you can do this by changing `index-url`:
+
+```sh
+pip config --site set global.index-url "http://localhost:8080/ipfs/$IPWHL_CID"
+```
+
+Mirroring a release is also as simple as pinning its CID:
+
+```sh
+ipfs pin add $IPWHL_CID
+```
+
+## Feedback
+
+TBD