[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
"Martin v. Löwis"
martin at v.loewis.de
Sat Jun 19 17:58:54 CEST 2010
> A simple way to protect against just the issue you mentioned is to
> have the clients retrieve the key over HTTPS or distribute the key
> with the client.
Ok. I have now enabled https for PyPI (https://pypi.python.org/pypi)
> Okay. We'd be happy to work with you to get an easy solution put in
> place.
Thanks for the offer. Notice that this project is primarily about
mirroring; other issues (should they exist) preferably should be dealt
with separately.
> TUF is fairly early stage (our first major deployment is on going),
> but might be worth consideration. I think we could probably put
> together a quick demo so that you and others could see how it might
> work with one of the existing client updaters.
I don't think adding another dependency to the clients is really
acceptable. Instead, it must all be self-contained.
Regards,
Martin
More information about the Catalog-SIG
mailing list