On Mar 20, 2013, at 12:45 PM, Paul Moore <p.f.moore@gmail.com> wrote:
On 20 March 2013 16:31, Nick Coghlan <ncoghlan@gmail.com> wrote:
Then the pip developers, for example, could say "we trust Christoph to make our Windows installers", and grant him repackager access so he could upload the binaries for secure redistribution from PyPI rather than needing to host them himself.
Another axis of the same idea would be to allow people to upload "unofficial" binaries. The individual would not need to be confirmed as trusted by the project, but his uploads would *not* be visible by default on PyPI. Users would be able to "opt in" to builds by that individual, and if they did, those builds would be merged in with what's on PyPI.
That model is much closer to how Christoph is actually working at the moment - people can choose whether to trust him, but if they do they can get his builds and the upstream projects don't get involved.
Paul _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
Why can't unofficial binaries just use a separate index? e.g. Christoph can just make an index with his binaries. This solution also works well if someone wants to maintain a curated PyPI. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA