On 4/9/13 1:17 AM, Justin Cappos wrote:
His 29MB and 58MB numbers assume that every developer has their own key right now. We don't think this is likely to happen and propose initially signing everything that the developers don't sign with a single PyPI key.
It also assumes there are no abandoned packages / devel account. I also think many devels won't go back and sign all old versions of their software. So my number is definitely a back of the envelope calculation using Trishank's data. Trishank's calculations are much more expressive, but are the "worst case" size.
Correct. Justin based his back-of-the-envelope calculation on some very rough prior estimates of mine, so they may be a little off. Nevertheless, our argument remains: sharing a key across, say, a thousand packages will certainly reduce the metadata by quite a bit. Combine that with compression or difference schemes, and you get even more savings.