[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
Jesus Cea
jcea at jcea.es
Tue Jun 15 19:44:05 CEST 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 15/06/10 14:20, Michael Crute wrote:
> What about a set of volunteer mirrors of PyPi similar to the way CPAN
> and Linux distributions handle this problem. pypi.python.org? That
> approach eliminates any cost for the PSF and might ultimately result
> in better reliability. With the volunteer mirror system you would
> still statically generate the files and just make them available for
> rsync then setup a page to allow mirrors to register (see CPAN). If
> you take this approach I would be happy to donate a mirror to the
> pool.
I would rather prefer this approach, actually. With the following
changes in current code:
1. setuptools & friends: Support for retrying several mirrors if first
try fails.
2. Packages MUST be digitally signed. Ideally by the owner, but at least
by PYPI central node (current pypi server). That way, a "rogue" mirror
can't distribute trojans.
3. Trusting the stats is not possible :(, if there are "rogue" mirrors.
- --
Jesus Cea Avion _/_/ _/_/_/ _/_/_/
jcea at jcea.es - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/
jabber / xmpp:jcea at jabber.org _/_/ _/_/ _/_/_/_/_/
. _/_/ _/_/ _/_/ _/_/ _/_/
"Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/
"My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQCVAwUBTBe75Zlgi5GaxT1NAQLnawP+J4Cb6ywGCpIEOsD1L4mbUTfnWnh9X59T
zxTjxbEdCaZrbLgY2KuAAoAdSocmrQFhX/zfeMxEpoilnLH2mZknM+Bb6icNAzbR
JFYDmfu7QPhUjPrNgFlQhXQsuuMnpNEzTv3yINmjKZg2OYwU7BhbolFKrAGF+b+5
kKmnwWjTju0=
=rQh4
-----END PGP SIGNATURE-----
More information about the Catalog-SIG
mailing list