about summary refs log tree commit diff
path: root/content
diff options
context:
space:
mode:
Diffstat (limited to 'content')
-rw-r--r--content/posts/2022-06-19-announce-ipwhl.md48
1 files changed, 13 insertions, 35 deletions
diff --git a/content/posts/2022-06-19-announce-ipwhl.md b/content/posts/2022-06-19-announce-ipwhl.md
index a1b202e..7559eea 100644
--- a/content/posts/2022-06-19-announce-ipwhl.md
+++ b/content/posts/2022-06-19-announce-ipwhl.md
@@ -10,7 +10,7 @@ translationKey: "announce-ipwhl"
 
 ## What is IPWHL?
 
-The interplanetary wheels (IPWHL) are platform-unique, singly-versioned Python
+The [interplanetary wheels][IPWHL] are platform-unique, singly-versioned Python
 built distributions backed by IPFS. It aims to be a downstream wheel supplier
 in a similar fashion to GNU/Linux distributions, whilst take advantage of a
 content-addressing peer-to-peer network to provide a reproducible,
@@ -25,41 +25,18 @@ exactly same environment on every platform.
 The official IPWHL repository will provide exclusively free software. However,
 deriving the repository should be trivial and is a supported use case.
 
+[IPWHL]: https://sr.ht/~cnx/ipwhl
+
 ## Why?
 
-The cheese shop is great, but choosing cheeses from it can often be confusing.
-Dependency resolution is expensive, and version requirements are not
-future-proof. In order to avoid breakage, people usually have to pin packages
-on the installer side, which is redundant and difficult to validate manually.
-Additionally, we believe it is not the packaging users' job to do this; they
-should be able to save their time doing what they do best: writing and using
-software.
-
-Moreover, there are millions of ways for a piece of cheese to rot on the way
-home from the (almost) lawless cheese shop. Everyone can sell at the shop, and
-thus typosquatting is a common exploit. In addition, cheeses from the shop are
-not independently verifiable: the checksums are provided along with the files
-so the shop is the single point of failure for security attacks. There are
-ongoing efforts to integrate TUF into Python packaging toolchain, however it is
-unlikely that they can entirely mitigate this due to the centralized nature of
-the inherent architecture.
-
-Centralization also makes it really difficult for mirrors to be useful for the
-users: the cheese shop is not aware if any of its mirrors, let alone
-redirecting to the closest one. Mirroring is hardly a collaborative effort, one
-either provide everything for an entire region, or give up. On the other hand,
-many organizations host their Python packages and their dependencies on
-dedicated machines running 24/7, but the resources are mostly gone to waste
-when unused by the companies themselves.
-
-IPWHL makes use of IPFS and statically declared and carefully curated metadata
-to try to solve most the listed problems. In addition to providing only one
-wheel version at a time, source distributions are not supplied to avoiding
-executing untrusted code on the users' machine.
-
-## How to package for IPWHL
-
-TBD
+IPWHL is created as a curated and decentralized Python package repository.
+
+PyPI repository is uncurated: anyone can publish a package there, which enables
+typosquatting and some other exploits.  In contrast, by controlling which
+packages can go into IPWHL, we reduces risk of distributing malware
+significantly. Decentralizing the repository with IPFS makes mirroring more
+helpful and cost-saving. Additionally, by making the wheels singly-versioned,
+IPWHL is expected to save time for dependency resolution.
 
 ## How to use IPWHL?
 
@@ -89,4 +66,5 @@ ipfs pin add $IPWHL_CID
 
 ## Feedback
 
-TBD
+IPWHL is in its early stage, so we would appreciate if you can let us know how
+you feel about it.