[Catalog-sig] an immutable mirror of PyPI

[Martijn Faassen]

Hi there,

Is there any interest in running an immutable mirror of PyPI on 
python.org as a service to package users?

What it would do is mirror the PyPI index and packages, with one 
difference: releases and packages once mirrored will be mirrored 
indefinitely. It will not accept changes of existing releases, or 
removal of existing releases from the mirror. Instead, it would keep an 
archive of these forever. To deal with cases where people make an upload 
by mistake, there could be a "window of removal", however, where removal 
is accepted if a release is not older than a certain age.

Is there perhaps already mirroring code that can be used to create such 
a service?

The motivation is to share a service that many of us are using PyPI for 
already: a way to conveniently share packages without having to make 
local backups or distribute local copies to all people who use our 
project. To reliably share packages the current PyPI is not sufficient, 
as PyPI has a philosophy of being a hosting site for packagers and 
therefore should allow package maintainers to freely change or remove 
previous releases at any point in time.

Such an immutable mirror would be useful to package developers as well: 
you can release package a that depends on package b. You can then know 
that package b can't just be removed or modified, so that people who 
download your package a from the mirror can be guaranteed to always have 
access to the same package b that you tested your code with yourself.

There would need to be a mechanism for the mirror administrators to 
remove releases on rare occasions where this might be needed for reasons 
of security or legality.

Regards,

Martijn