[Catalog-sig] RFC: PEP243: Module Repository Upload Mechanism

[Martin v. Loewis]

Hi Sean,

I have a few minor comments to your draft.

> This form is posted using ENCTYPE="multipart/form-data" encoding [RFC1867].

This RFC is informative only; the RFC specifying the
multipart/form-data content type is RFC 2388.

>         signature (optional) -- A OpenPGP-compatible signature [RFC2440]
>         of the uploaded distribution as signed by the author.  This may be
>         used by the cataloging system to automate acceptance of uploads.

Is that required to be an ASCII armor (6.2), or can it be a raw
detached signature (10.3)? If the latter, your form should probably
not expect text input there (even if it is an armor, a multiline input
would be more appropriate).

Is it also acceptable to send a Signed Message (10.2) as the
distribution? If so, is it then still mandatory to send the md5sum?
Does the md5sum then apply to the signed or the unsigned distribution?

>     The upload client must submit the page in the same form as
>     Netscape Navigator version 4.76 for Linux produces when presented
>     with the following form:

Wasn't there some complaint about that wording already? What kind of
requirement does that state, beyond what is already specified above
(host, port, method, mime-type, field list).

E.g. I believe Netscape will send all fields, even if left empty. Is
that a requirement, or is it allowed to leave out fields which are
described as optional? Also, that could be read into mandating a
specific order in which the fields must be sent? Is that a
requirement?

My proposal is to not use the word "must" in that entire section, and
to make it clear otherwise that the section is informative.

>     I currently have a proof-of-concept client and server implemented.

Is that available somewhere?

Regards,
Martin