[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
Tarek Ziadé
ziade.tarek at gmail.com
Tue Jun 15 20:52:14 CEST 2010
On Tue, Jun 15, 2010 at 8:21 PM, Jesus Cea <jcea at jcea.es> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 15/06/10 19:45, M.-A. Lemburg wrote:
>> Note that with community servers that only mirror once a day,
>> you'd have to wait up to a whole day for your package updates
>> to become visible worldwide.
>
> But TODAY mirror use is voluntary and per-user. That is, you use a
> mirror because you want, not because pypi is pushing you around
> transparently. I don't use mirrors so far, because pypi inestability
> hasn't hit me so far, and because I don't "trust" mirrors (see next
> paragraph).
>
> I read pep 381 long time ago and I don't remember how/when a mirror
> would update, but I do remember it doesn't mandate digital signatures
> (signed by pypi central node, verified by setuptools&friends). That is a
> big gap, in my opinion.
You don't trust mirrors right now, but if they are listed at PyPI as
official mirrors,
that are managed by people that can be trusted as much as you can trust
the PyPI syadmin for instance, and much much more than the packages
you can download at PyPI.
Do you trust the package you are installing more than an "official"
mirror ? if so, why ?
Anyone can upload a package at PyPI with
os.system('rm -rf /')
in its setup.py...
Regards
Tarek
--
Tarek Ziadé | http://ziade.org
More information about the Catalog-SIG
mailing list