[Distutils] What to do about the PyPI mirrors
Lennart Regebro
regebro at gmail.com
Tue Aug 6 09:53:05 CEST 2013
On Tue, Aug 6, 2013 at 9:10 AM, holger krekel <holger at merlinux.eu> wrote:
> PyPI mirrors _are_ associated with PyPI and pypi.python.org.
> (Why) Do do want to flatly rule out pip/pypi.python.org support
> for managing mirrors?
Automatic mirror discovery opens extra security holes until we have
found some way to tighten up the security in general. Once we have a
way of verifying packages that work and that doesn't rely on the
mirror you are using, we could add it back. Indeed, just having a json
list makes sense.
//Lennart
More information about the Distutils-SIG
mailing list