[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

"Martin v. Löwis" martin at v.loewis.de
Sat Jun 19 17:58:54 CEST 2010


> A simple way to protect against just the issue you mentioned is to
> have the clients retrieve the key over HTTPS or distribute the key
> with the client.

Ok. I have now enabled https for PyPI (https://pypi.python.org/pypi)

> Okay.   We'd be happy to work with you to get an easy solution put in
> place.

Thanks for the offer. Notice that this project is primarily about 
mirroring; other issues (should they exist) preferably should be dealt 
with separately.

> TUF is fairly early stage (our first major deployment is on going),
> but might be worth consideration.   I think we could probably put
> together a quick demo so that you and others could see how it might
> work with one of the existing client updaters.

I don't think adding another dependency to the clients is really 
acceptable. Instead, it must all be self-contained.

Regards,
Martin


More information about the Catalog-SIG mailing list