[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

Jesus Cea jcea at jcea.es
Tue Jun 15 19:44:05 CEST 2010

Hash: SHA1

On 15/06/10 14:20, Michael Crute wrote:
> What about a set of volunteer mirrors of PyPi similar to the way CPAN
> and Linux distributions handle this problem. pypi.python.org? That
> approach eliminates any cost for the PSF and might ultimately result
> in better reliability. With the volunteer mirror system you would
> still statically generate the files and just make them available for
> rsync then setup a page to allow mirrors to register (see CPAN). If
> you take this approach I would be happy to donate a mirror to the
> pool.

I would rather prefer this approach, actually. With the following
changes in current code:

1. setuptools & friends: Support for retrying several mirrors if first
try fails.

2. Packages MUST be digitally signed. Ideally by the owner, but at least
by PYPI central node (current pypi server). That way, a "rogue" mirror
can't distribute trojans.

3. Trusting the stats is not possible :(, if there are "rogue" mirrors.

- -- 
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jcea at jabber.org         _/_/    _/_/          _/_/_/_/_/
.                              _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Catalog-SIG mailing list