[Catalog-sig] Moving forward

Moshe Zadka moshez@zadka.site.co.il
Tue, 24 Apr 2001 08:24:32 +0300


On Mon, 23 Apr 2001, Amos Latteier <amos@digicool.com> wrote:

>   1. How can the server identify the uploader? You can include an
> optional signature file, however if you don't include this file there is
> no way to associate an identity with the uploaded file. In my prototype
> even if you don't include a signature file the server requires an
> account and keeps track of who uploaded what. Perhaps there could be
> optional support for HTTP authentication during the upload. This would
> allow the distutils to supply optional authentication credentials.

I think this is a feature in PEP-243 -- no false sense of security.
We do have to think about maintaining a keyring in the server, though.

>   2. Platform specification. Should the server validate the platform
> specification? I suspect that platform specification in general is a rat
> hole. For example a binary package may require all sorts of things that
> are hard to represent as an os, os version, and Python version. I still
> haven't implemented platform specification in my prototype.

Well, if the specification is too complex, then the uploader can just
punt on uploading binary packages...

>   3. PKG-INFO conflicts. The PEP allows both extraction of the PKG-INFO
> file from the package and an optional upload of the PKG-INFO file. What
> happens if these files are not the same. I propose that the PKG-INFO
> file in the package be used if there is a conflict.

I suggest that the upload will be rejected.
In the face of ambiguity, refuse the temptation to guess.

-- 
"I'll be ex-DPL soon anyway so I'm        |LUKE: Is Perl better than Python?
looking for someplace else to grab power."|YODA: No...no... no. Quicker,
   -- Wichert Akkerman (on debian-private)|      easier, more seductive.
For public key, finger moshez@debian.org  |http://www.{python,debian,gnu}.org