[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
"Martin v. Löwis"
martin at v.loewis.de
Tue Jun 15 22:04:55 CEST 2010
> I read pep 381 long time ago and I don't remember how/when a mirror
> would update, but I do remember it doesn't mandate digital signatures
> (signed by pypi central node, verified by setuptools&friends). That is a
> big gap, in my opinion.
The PEP doesn't explain the digital signing that is going on in
mirroring. See
http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html
This is fully implemented (except that client would need to verify the
signatures, and except key rollover hasn't happened yet).
Regards,
Martin
More information about the Catalog-SIG
mailing list