3a210bd05849238547ea2176e06d76df7d3e27fa — Ngô Ngọc Đức Huy a month ago c4dbf95
Update draft
1 files changed, 13 insertions(+), 35 deletions(-)

M content/posts/2022-06-19-announce-ipwhl.md
M content/posts/2022-06-19-announce-ipwhl.md => content/posts/2022-06-19-announce-ipwhl.md +13 -35
@@ 10,7 10,7 @@ translationKey: "announce-ipwhl"

## What is IPWHL?

The interplanetary wheels (IPWHL) are platform-unique, singly-versioned Python
The [interplanetary wheels][IPWHL] are platform-unique, singly-versioned Python
built distributions backed by IPFS. It aims to be a downstream wheel supplier
in a similar fashion to GNU/Linux distributions, whilst take advantage of a
content-addressing peer-to-peer network to provide a reproducible,

@@ 25,41 25,18 @@ exactly same environment on every platform.
The official IPWHL repository will provide exclusively free software. However,
deriving the repository should be trivial and is a supported use case.

[IPWHL]: https://sr.ht/~cnx/ipwhl

## Why?

The cheese shop is great, but choosing cheeses from it can often be confusing.
Dependency resolution is expensive, and version requirements are not
future-proof. In order to avoid breakage, people usually have to pin packages
on the installer side, which is redundant and difficult to validate manually.
Additionally, we believe it is not the packaging users' job to do this; they
should be able to save their time doing what they do best: writing and using

Moreover, there are millions of ways for a piece of cheese to rot on the way
home from the (almost) lawless cheese shop. Everyone can sell at the shop, and
thus typosquatting is a common exploit. In addition, cheeses from the shop are
not independently verifiable: the checksums are provided along with the files
so the shop is the single point of failure for security attacks. There are
ongoing efforts to integrate TUF into Python packaging toolchain, however it is
unlikely that they can entirely mitigate this due to the centralized nature of
the inherent architecture.

Centralization also makes it really difficult for mirrors to be useful for the
users: the cheese shop is not aware if any of its mirrors, let alone
redirecting to the closest one. Mirroring is hardly a collaborative effort, one
either provide everything for an entire region, or give up. On the other hand,
many organizations host their Python packages and their dependencies on
dedicated machines running 24/7, but the resources are mostly gone to waste
when unused by the companies themselves.

IPWHL makes use of IPFS and statically declared and carefully curated metadata
to try to solve most the listed problems. In addition to providing only one
wheel version at a time, source distributions are not supplied to avoiding
executing untrusted code on the users' machine.

## How to package for IPWHL

IPWHL is created as a curated and decentralized Python package repository.

PyPI repository is uncurated: anyone can publish a package there, which enables
typosquatting and some other exploits.  In contrast, by controlling which
packages can go into IPWHL, we reduces risk of distributing malware
significantly. Decentralizing the repository with IPFS makes mirroring more
helpful and cost-saving. Additionally, by making the wheels singly-versioned,
IPWHL is expected to save time for dependency resolution.

## How to use IPWHL?

@@ 89,4 66,5 @@ ipfs pin add $IPWHL_CID

## Feedback

IPWHL is in its early stage, so we would appreciate if you can let us know how
you feel about it.