diff options
Diffstat (limited to 'content')
-rw-r--r-- | content/posts/2022-06-19-announce-ipwhl.md | 48 |
1 files changed, 13 insertions, 35 deletions
diff --git a/content/posts/2022-06-19-announce-ipwhl.md b/content/posts/2022-06-19-announce-ipwhl.md index a1b202e..7559eea 100644 --- a/content/posts/2022-06-19-announce-ipwhl.md +++ b/content/posts/2022-06-19-announce-ipwhl.md @@ -10,7 +10,7 @@ translationKey: "announce-ipwhl" ## What is IPWHL? -The interplanetary wheels (IPWHL) are platform-unique, singly-versioned Python +The [interplanetary wheels][IPWHL] are platform-unique, singly-versioned Python built distributions backed by IPFS. It aims to be a downstream wheel supplier in a similar fashion to GNU/Linux distributions, whilst take advantage of a content-addressing peer-to-peer network to provide a reproducible, @@ -25,41 +25,18 @@ exactly same environment on every platform. The official IPWHL repository will provide exclusively free software. However, deriving the repository should be trivial and is a supported use case. +[IPWHL]: https://sr.ht/~cnx/ipwhl + ## Why? -The cheese shop is great, but choosing cheeses from it can often be confusing. -Dependency resolution is expensive, and version requirements are not -future-proof. In order to avoid breakage, people usually have to pin packages -on the installer side, which is redundant and difficult to validate manually. -Additionally, we believe it is not the packaging users' job to do this; they -should be able to save their time doing what they do best: writing and using -software. - -Moreover, there are millions of ways for a piece of cheese to rot on the way -home from the (almost) lawless cheese shop. Everyone can sell at the shop, and -thus typosquatting is a common exploit. In addition, cheeses from the shop are -not independently verifiable: the checksums are provided along with the files -so the shop is the single point of failure for security attacks. There are -ongoing efforts to integrate TUF into Python packaging toolchain, however it is -unlikely that they can entirely mitigate this due to the centralized nature of -the inherent architecture. - -Centralization also makes it really difficult for mirrors to be useful for the -users: the cheese shop is not aware if any of its mirrors, let alone -redirecting to the closest one. Mirroring is hardly a collaborative effort, one -either provide everything for an entire region, or give up. On the other hand, -many organizations host their Python packages and their dependencies on -dedicated machines running 24/7, but the resources are mostly gone to waste -when unused by the companies themselves. - -IPWHL makes use of IPFS and statically declared and carefully curated metadata -to try to solve most the listed problems. In addition to providing only one -wheel version at a time, source distributions are not supplied to avoiding -executing untrusted code on the users' machine. - -## How to package for IPWHL - -TBD +IPWHL is created as a curated and decentralized Python package repository. + +PyPI repository is uncurated: anyone can publish a package there, which enables +typosquatting and some other exploits. In contrast, by controlling which +packages can go into IPWHL, we reduces risk of distributing malware +significantly. Decentralizing the repository with IPFS makes mirroring more +helpful and cost-saving. Additionally, by making the wheels singly-versioned, +IPWHL is expected to save time for dependency resolution. ## How to use IPWHL? @@ -89,4 +66,5 @@ ipfs pin add $IPWHL_CID ## Feedback -TBD +IPWHL is in its early stage, so we would appreciate if you can let us know how +you feel about it. |