[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
"Martin v. Löwis"
martin at v.loewis.de
Tue Jun 15 21:48:38 CEST 2010
> 1. setuptools& friends: Support for retrying several mirrors if first
> try fails.
That's the part that still needs to be implemented.
> 2. Packages MUST be digitally signed. Ideally by the owner, but at least
> by PYPI central node (current pypi server). That way, a "rogue" mirror
> can't distribute trojans.
That is already part of the mirroring infrastructure (although still not
explained in PEP 381 yet).
> 3. Trusting the stats is not possible :(, if there are "rogue" mirrors.
That's true.
Regards,
Martin
More information about the Catalog-SIG
mailing list