[Catalog-sig] What is the point of pythonpackages.com?
stefan-usenet at bytereef.org
Mon Feb 6 22:35:27 CET 2012
Martijn Faassen <faassen at startifact.com> wrote:
> On 02/06/2012 09:08 PM, Stefan Krah wrote:
>> I don't see any inconvenience since bytereef.org has a comparable
>> uptime to python.org.
> I've experienced a site which was hosting a Python package which had
> awesome uptime, but then something was screwed up about the security of
> the host at some point and while it remained up, it took forever
> (months? years?) to get resolved.
And? I'm not exactly unreachable and I doubt there will be a security problem.
Furthermore I'm posting the sha256sums of the packages in the announcements,
so they are archived on several mailing lists.
For the general case I'd suggest that PyPI gives an author the option to
tie an sha256sum to a package version *once*. This leaves an opportunity
to correct a release (recent discussion), but as soon as the checksum is
published it cannot be altered.
If a package is removed entirely, any version numbers that have been used
would need to be stored intenally to prevent a re-upload with the same name
but a different checksum.
The download tools would need to get the capability to verify the checksum.
More information about the Catalog-SIG