[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

[Jesus Cea]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 15/06/10 19:45, M.-A. Lemburg wrote:
> Note that with community servers that only mirror once a day,
> you'd have to wait up to a whole day for your package updates
> to become visible worldwide.

But TODAY mirror use is voluntary and per-user. That is, you use a
mirror because you want, not because pypi is pushing you around
transparently. I don't use mirrors so far, because pypi inestability
hasn't hit me so far, and because I don't "trust" mirrors (see next
paragraph).

I read pep 381 long time ago and I don't remember how/when a mirror
would update, but I do remember it doesn't mandate digital signatures
(signed by pypi central node, verified by setuptools&friends). That is a
big gap, in my opinion.

- -- 
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jcea at jabber.org         _/_/    _/_/          _/_/_/_/_/
.                              _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQCVAwUBTBfEtZlgi5GaxT1NAQKuKAP/YUTRh9GXAlEa8X5trvnUsWmS6KRgxSIz
jxB35L9WwWKR0FMzeay1ThvOoiz5aXlrqGaBbEZiPjr3UuWMXRf+WSh2RoylEher
f5i8pxwwBwopVCKbRx07nWsroJUH9oIFYmTY/IIidqjh8UNL+FBBRCSRuFyay/H/
W/zxzjAFxuc=
=UVuI
-----END PGP SIGNATURE-----