[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

"Martin v. Löwis" martin at v.loewis.de
Tue Jun 15 22:04:55 CEST 2010

> I read pep 381 long time ago and I don't remember how/when a mirror
> would update, but I do remember it doesn't mandate digital signatures
> (signed by pypi central node, verified by setuptools&friends). That is a
> big gap, in my opinion.

The PEP doesn't explain the digital signing that is going on in 
mirroring. See


This is fully implemented (except that client would need to verify the 
signatures, and except key rollover hasn't happened yet).


More information about the Catalog-SIG mailing list