[Catalog-sig] PyPI mirrors are all up to date

"Martin v. Löwis" martin at v.loewis.de
Tue Apr 17 00:22:54 CEST 2012

> fwiw Crate verifies the md5 hashes that the simple api gives for
> each package. I think not doing that should be considered wrong.
> (it's considered important for clients to check the checksum of
> packages they download, but mirrors that are going to be 
> redistributing their files to clients this isn't important? Seems to
> be a disconnect between the thoughts).

I think this is a quality-of-implementation issue. They could verify
the md5; they could also verify the serversig. Some do, some don't.
Or they could claim they do but actually don't. Ultimately, clients
either need to trust the mirror, or do the verification themselves.


More information about the Catalog-SIG mailing list