[Catalog-sig] an immutable mirror of PyPI
faassen at startifact.com
Mon Jul 4 22:31:31 CEST 2011
Is there any interest in running an immutable mirror of PyPI on
python.org as a service to package users?
What it would do is mirror the PyPI index and packages, with one
difference: releases and packages once mirrored will be mirrored
indefinitely. It will not accept changes of existing releases, or
removal of existing releases from the mirror. Instead, it would keep an
archive of these forever. To deal with cases where people make an upload
by mistake, there could be a "window of removal", however, where removal
is accepted if a release is not older than a certain age.
Is there perhaps already mirroring code that can be used to create such
The motivation is to share a service that many of us are using PyPI for
already: a way to conveniently share packages without having to make
local backups or distribute local copies to all people who use our
project. To reliably share packages the current PyPI is not sufficient,
as PyPI has a philosophy of being a hosting site for packagers and
therefore should allow package maintainers to freely change or remove
previous releases at any point in time.
Such an immutable mirror would be useful to package developers as well:
you can release package a that depends on package b. You can then know
that package b can't just be removed or modified, so that people who
download your package a from the mirror can be guaranteed to always have
access to the same package b that you tested your code with yourself.
There would need to be a mechanism for the mirror administrators to
remove releases on rare occasions where this might be needed for reasons
of security or legality.
More information about the Catalog-SIG