[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

"Martin v. Löwis" martin at v.loewis.de
Tue Jun 15 21:48:38 CEST 2010

> 1. setuptools&  friends: Support for retrying several mirrors if first
> try fails.

That's the part that still needs to be implemented.

> 2. Packages MUST be digitally signed. Ideally by the owner, but at least
> by PYPI central node (current pypi server). That way, a "rogue" mirror
> can't distribute trojans.

That is already part of the mirroring infrastructure (although still not 
explained in PEP 381 yet).

> 3. Trusting the stats is not possible :(, if there are "rogue" mirrors.

That's true.


More information about the Catalog-SIG mailing list