9 Apr
2013
9 Apr
'13
5:19 a.m.
On Tue, Apr 9, 2013 at 3:17 PM, Justin Cappos <jcappos@poly.edu> wrote:
His 29MB and 58MB numbers assume that every developer has their own key right now. We don't think this is likely to happen and propose initially signing everything that the developers don't sign with a single PyPI key.
It also assumes there are no abandoned packages / devel account. I also think many devels won't go back and sign all old versions of their software. So my number is definitely a back of the envelope calculation using Trishank's data. Trishank's calculations are much more expressive, but are the "worst case" size.
OK, that makes sense - thanks for the clarification. Cheers, Nick. -- Nick Coghlan | ncoghlan@gmail.com | Brisbane, Australia