[Catalog-sig] PyPI mirrors are all up to date
donald.stufft at gmail.com
Tue Apr 17 00:31:54 CEST 2012
On Monday, April 16, 2012 at 6:22 PM, "Martin v. Löwis" wrote:
> > fwiw Crate verifies the md5 hashes that the simple api gives for
> > each package. I think not doing that should be considered wrong.
> > (it's considered important for clients to check the checksum of
> > packages they download, but mirrors that are going to be
> > redistributing their files to clients this isn't important? Seems to
> > be a disconnect between the thoughts).
> I think this is a quality-of-implementation issue. They could verify
> the md5; they could also verify the serversig. Some do, some don't.
> Or they could claim they do but actually don't. Ultimately, clients
> either need to trust the mirror, or do the verification themselves.
Yea ultimately the clients will need to do the verification themselves, I
only meant to have somewhat more useful mirrors (corrupted data, bugs
in scripts, etc) it would make sense for mirrors to verify that the data they
are getting is the data they are expecting so they don't serve bad data. While
a verifying client won't be affected by that bad data, it does lower the overall
availability for that file.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Catalog-SIG