[Catalog-sig] PyPI mirror key rollover
"Martin v. Löwis"
martin at v.loewis.de
Thu Apr 28 22:03:22 CEST 2011
Am 28.04.2011 10:26, schrieb M.-A. Lemburg:
> "Martin v. Löwis" wrote:
>> I came up with a key rollover scheme for the server key on PyPI.
>> [...]
>>
>> The key rollover will be logged in the PyPI journal,
>> using an empty package name and an empty release. TOOLS USING
>> THE JOURNAL MAY NEED TO BE FIXED TO ACCOMMODATE EMPTY PACKAGE
>> NAMES. Earlier today, such a journal entry was already added;
>> I took it out again when I noticed that some tools actually
>> do need to be fixed.
>
> I can't comment on the other parts of the proposal, but the above
> suggestions doesn't sound like a good solution: an empty package
> name in the update stream looks more like a server or client
> decoding bug than a trigger to do a key update.
Oops, I forgot a critical detail: the "action" string in the journal
entry would be "keyrotate".
> Wouldn't it be better to use a descriptive package name such
> as "pypi-serverkey-update" together with a package version
> which identifies the new serverkey version as trigger ?
That would not be good - tools would (rightly) assume that there
is a package with that name, and try to mirror it.
Regards,
Martin
More information about the Catalog-SIG
mailing list