From 6c01d648bfcaccf8460b57fed312392c4b6f609f Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Wed, 10 Sep 2025 16:23:17 +0100 Subject: [PATCH 1/3] Commit --- .github/CODEOWNERS | 1 + peps/pep-0807.rst | 126 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 127 insertions(+) create mode 100644 peps/pep-0807.rst diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 42c10c3dcb3..97c599a1254 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -679,6 +679,7 @@ peps/pep-0800.rst @JelleZijlstra peps/pep-0801.rst @warsaw peps/pep-0802.rst @AA-Turner peps/pep-0803.rst @encukou +peps/pep-0806.rst @ezio-melotti # ... peps/pep-2026.rst @hugovk # ... diff --git a/peps/pep-0807.rst b/peps/pep-0807.rst new file mode 100644 index 00000000000..bae896d8b6d --- /dev/null +++ b/peps/pep-0807.rst @@ -0,0 +1,126 @@ +PEP: 807 +Title: Creation of a CPython mirror +Author: Stan Ulbrych +Sponsor: Ezio Melotti +Discussions-To: Pending +Status: Draft +Type: Process +Created: 10-Sep-2025 + + +Abstract +======== + +This PEP proposes the creation of an official read-only mirror of the +`CPython Git repository `_, +currently hosted on GitHub (since :pep:`512`), on an additional hosting +platform to improve resilience. + + +Motivation +========== + +The authors believe that mirroring the repository on an alternative +platform will limit +`vendor lock-in `_ and improve +the security, resilience, and accessibility of CPython without impacting the +current development workflow. +Currently, the up-to-date CPython source code is officially available only +on GitHub, following the retirement of `hg.python.org `_. +The idea of a mirror was originally noted in :pep:`512#the-fate-of-hg-python-org`. + +.. note:: + + The standard clone of a repository does not pull all information, see + the `Git documentation `_ + for more information. + +Many open source projects provide mirrors, for example: +`GNOME `_, `KDE `_, +`Git `_, `GCC `_, +`Linux `_, `curl `_, +`FreeBSD `_, and `OpenBSD `_. + +Relying on a single storage provider carries the risk that, if the provider +goes down, all data stored on the platform could be lost. +This is similar to maintaining backups of personal data (photos, documents, etc.). + +In the event of a temporary outage, local development can still continue as +one can pull the most recent state of the repository from the mirror. +In the event of a permanent outage, having a mirror with the +``python`` namespace would allow for a smoother migration to a new +contribution platform as many things would already be set up, and +a copy of the up-to-date source would be available. + +Some contributors prefer using open-source platforms to develop open source projects. +Since `GitHub `_ is not open source, a mirror would allow us to +address this concern. Mirrors improve accessibility for contributors in regions +where GitHub may be blocked [#ghcens]_ or slow. + + +Rationale +========= + +The mirror is **not** intended to replace the host for contributions +(issues, pull requests, CI), but to provide an additional +read-only distribution channel for the Git data (commits, branches, tags etc.) +because having multiple contribution platforms would introduce excessive +complexity and asynchrony. + +Mirrors require little maintenance and should not have a financial impact on +the PSF, since many hosting providers offer free plans which are sufficient for +a mirror. + + +Specification +============= + +The repository will be mirrored using Git's +`--mirror `__ +option, either using a platform's built-in integration [#gldoc]_ or a script. +The repository should be in the platform's equivalent of the GitHub +`python organization `_. + +To avoid confusion, all contribution-related tabs (Issues, Pull Requests, +Discussions, etc.) will be disabled, and the fact that the repository is a +mirror will be clearly noted in the description. + + +Security Implications +===================== + +This PEP increases the security workload, as two platforms must be secured. +Because the mirror is read-only, some risks of compromise are alleviated, +but not all. + +Access to the repository should follow the +`principle of least privilege `_. + + +Backwards Compatibility +======================= + +This PEP has no effect on existing contributor workflows. + + +Open Questions +============== + +What platform should be used? The platform should be free, so as not to have a +financial impact on the PSF. There are several options, for example +`GitLab `_ and `Codeberg `_. + + +Footnotes +========= + +.. [#ghcens] `Wikipedia: Censorship of GitHub `_ + +.. [#gldoc] `GitLab: Repository mirroring documentation `_ + + +Copyright +========= + +This document is placed in the public domain or under the +CC0-1.0-Universal license, whichever is more permissive. From b915c5fda37d707877a58942efefe8096c7756fd Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Wed, 10 Sep 2025 16:39:57 +0100 Subject: [PATCH 2/3] Fix CODEOWNERS typo --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 97c599a1254..16fc367262a 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -679,7 +679,7 @@ peps/pep-0800.rst @JelleZijlstra peps/pep-0801.rst @warsaw peps/pep-0802.rst @AA-Turner peps/pep-0803.rst @encukou -peps/pep-0806.rst @ezio-melotti +peps/pep-0807.rst @ezio-melotti # ... peps/pep-2026.rst @hugovk # ... From 135b30edbd7465506183af8e19cf1e0826b4a003 Mon Sep 17 00:00:00 2001 From: Stan Ulbrych Date: Wed, 10 Sep 2025 18:23:08 +0100 Subject: [PATCH 3/3] Link thread --- peps/pep-0807.rst | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/peps/pep-0807.rst b/peps/pep-0807.rst index bae896d8b6d..9606897eb4a 100644 --- a/peps/pep-0807.rst +++ b/peps/pep-0807.rst @@ -2,10 +2,11 @@ PEP: 807 Title: Creation of a CPython mirror Author: Stan Ulbrych Sponsor: Ezio Melotti -Discussions-To: Pending +Discussions-To: https://discuss.python.org/t/103671 Status: Draft Type: Process Created: 10-Sep-2025 +Post-History: `10-Sep-2025 `__ Abstract