[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

Tarek Ziadé ziade.tarek at gmail.com
Tue Jun 15 20:52:14 CEST 2010

On Tue, Jun 15, 2010 at 8:21 PM, Jesus Cea <jcea at jcea.es> wrote:
> Hash: SHA1
> On 15/06/10 19:45, M.-A. Lemburg wrote:
>> Note that with community servers that only mirror once a day,
>> you'd have to wait up to a whole day for your package updates
>> to become visible worldwide.
> But TODAY mirror use is voluntary and per-user. That is, you use a
> mirror because you want, not because pypi is pushing you around
> transparently. I don't use mirrors so far, because pypi inestability
> hasn't hit me so far, and because I don't "trust" mirrors (see next
> paragraph).
> I read pep 381 long time ago and I don't remember how/when a mirror
> would update, but I do remember it doesn't mandate digital signatures
> (signed by pypi central node, verified by setuptools&friends). That is a
> big gap, in my opinion.

You don't trust mirrors right now, but if they are listed at PyPI as
official mirrors,
that are managed by people that can be trusted as much as you can trust
the PyPI syadmin for instance, and much much more than the packages
you can download at PyPI.

Do you trust the package you are installing more than an "official"
mirror ? if so, why ?

Anyone can upload a package at PyPI with

   os.system('rm -rf /')

in its setup.py...


Tarek Ziadé | http://ziade.org

More information about the Catalog-SIG mailing list