[Catalog-sig] an immutable mirror of PyPI

Martijn Faassen faassen at startifact.com
Sat Jul 16 18:50:07 CEST 2011


On Sat, Jul 16, 2011 at 6:40 PM, Benji York <benji at benjiyork.com> wrote:
> On Sat, Jul 16, 2011 at 6:58 AM, Martijn Faassen <faassen at startifact.com> wrote:
>> I wonder whether there are tooling solutions possible to detect this before
>> it's too late. A public log of what got removed would be useful so people
>> can keep an eye on things - but for this to be caught it would mean that the
>> log would need to include recreations as well.
> Being a buildout user, if I were to tackle that I'd add something along
> the lines of SSH's warnings when a host fingerprint changes.  I.e.,
> require that package hashes be given (much like you can require that
> versions be specified) and check those on download.

Yes, for changes this would be possible (assuming hashes). Removals by
themselves are another problem, though.



More information about the Catalog-SIG mailing list