[Catalog-sig] an immutable mirror of PyPI

Benji York benji at benjiyork.com
Sat Jul 16 18:40:16 CEST 2011

On Sat, Jul 16, 2011 at 6:58 AM, Martijn Faassen <faassen at startifact.com> wrote:
> I wonder whether there are tooling solutions possible to detect this before
> it's too late. A public log of what got removed would be useful so people
> can keep an eye on things - but for this to be caught it would mean that the
> log would need to include recreations as well.

Being a buildout user, if I were to tackle that I'd add something along
the lines of SSH's warnings when a host fingerprint changes.  I.e.,
require that package hashes be given (much like you can require that
versions be specified) and check those on download.
Benji York

More information about the Catalog-SIG mailing list