[Catalog-sig] PyPI mirror key rollover
Jannis Leidel
jannis at leidel.info
Thu Apr 28 11:06:53 CEST 2011
On 28.04.2011, at 10:26, M.-A. Lemburg wrote:
> "Martin v. Löwis" wrote:
>> I came up with a key rollover scheme for the server key on PyPI.
>> [...]
>>
>> The key rollover will be logged in the PyPI journal,
>> using an empty package name and an empty release. TOOLS USING
>> THE JOURNAL MAY NEED TO BE FIXED TO ACCOMMODATE EMPTY PACKAGE
>> NAMES. Earlier today, such a journal entry was already added;
>> I took it out again when I noticed that some tools actually
>> do need to be fixed.
>
> I can't comment on the other parts of the proposal, but the above
> suggestions doesn't sound like a good solution: an empty package
> name in the update stream looks more like a server or client
> decoding bug than a trigger to do a key update.
>
> Wouldn't it be better to use a descriptive package name such
> as "pypi-serverkey-update" together with a package version
> which identifies the new serverkey version as trigger ?
+1 Yeah, a convention like that seems better than an empty release.
Jannis
More information about the Catalog-SIG
mailing list