[Catalog-sig] an immutable mirror of PyPI
Martijn Faassen
faassen at startifact.com
Sat Jul 16 18:50:07 CEST 2011
Hey,
On Sat, Jul 16, 2011 at 6:40 PM, Benji York <benji at benjiyork.com> wrote:
> On Sat, Jul 16, 2011 at 6:58 AM, Martijn Faassen <faassen at startifact.com> wrote:
>> I wonder whether there are tooling solutions possible to detect this before
>> it's too late. A public log of what got removed would be useful so people
>> can keep an eye on things - but for this to be caught it would mean that the
>> log would need to include recreations as well.
>
> Being a buildout user, if I were to tackle that I'd add something along
> the lines of SSH's warnings when a host fingerprint changes. I.e.,
> require that package hashes be given (much like you can require that
> versions be specified) and check those on download.
Yes, for changes this would be possible (assuming hashes). Removals by
themselves are another problem, though.
Regards,
Martijn
More information about the Catalog-SIG
mailing list