[Catalog-sig] an immutable mirror of PyPI
Benji York
benji at benjiyork.com
Sat Jul 16 18:40:16 CEST 2011
On Sat, Jul 16, 2011 at 6:58 AM, Martijn Faassen <faassen at startifact.com> wrote:
> I wonder whether there are tooling solutions possible to detect this before
> it's too late. A public log of what got removed would be useful so people
> can keep an eye on things - but for this to be caught it would mean that the
> log would need to include recreations as well.
Being a buildout user, if I were to tackle that I'd add something along
the lines of SSH's warnings when a host fingerprint changes. I.e.,
require that package hashes be given (much like you can require that
versions be specified) and check those on download.
--
Benji York
More information about the Catalog-SIG
mailing list