[Catalog-sig] [PSF-Board] Troubled by changes to PyPI usage agreement

Tarek Ziadé ziade.tarek at gmail.com
Thu Jan 21 13:06:19 CET 2010

On Thu, Jan 21, 2010 at 12:51 PM, M.-A. Lemburg <mal at egenix.com> wrote:
> The problem gets real when putting the data up on the web for
> users to download via a browser. If they then install directly from
> the file without checking signatures, they can easily be tricked
> into executing malware - and that would put the original author
> of such a package into a pretty bad light.
> In any case, that was just a list of examples.

What about restricting the mirrors to the non web part in that case ?

Because the mirroring infrastructure is really intended for what I
would call a "professional" usage of PyPI, where it matters if it's
down for some time. And this usage is always done through automated

If the PyPI *website* part is down for a while, it's a minor annoyance
for people that are installing by clicking.

Then, in a second phase, we could have a second mirroring level with a
web part, and ask for the maintainer to sign a "mirror agreement" to
make him responsible in case he's a bad guy, and make him/her
acknowledge some PSF members maybe ? Because the people that are
willing to maintain mirrors are respected/known developers.

But the latter is not really what we need for our everyday work.


Tarek Ziadé | http://ziade.org

More information about the Catalog-SIG mailing list