[Catalog-sig] What is the point of pythonpackages.com?

Martijn Faassen faassen at startifact.com
Tue Feb 7 01:41:14 CET 2012

On 02/06/2012 10:35 PM, Stefan Krah wrote:
> Martijn Faassen<faassen at startifact.com>  wrote:
>> On 02/06/2012 09:08 PM, Stefan Krah wrote:
>>> I don't see any inconvenience since bytereef.org has a comparable
>>> uptime to python.org.
>> I've experienced a site which was hosting a Python package which had
>> awesome uptime, but then something was screwed up about the security of
>> the host at some point and while it remained up, it took forever
>> (months? years?) to get resolved.
> And? I'm not exactly unreachable and I doubt there will be a security problem.
> Furthermore I'm posting the sha256sums of the packages in the announcements,
> so they are archived on several mailing lists.

Taking you out of the picture, if there are 2 sites that I need to rely 
on, both with equally great uptime and security and reachability, the 
chances of problems at any given time is higher than if I just had to 
rely on 1 such site.

Multiple sites can only increase reliability if they both provide the 
same services.

I'm not telling you that you shouldn't be hosting your stuff. I'm saying 
that in general people hosting their own stuff, while entirely within 
their rights, is less great for users.

> For the general case I'd suggest that PyPI gives an author the option to
> tie an sha256sum to a package version *once*. This leaves an opportunity
> to correct a release (recent discussion), but as soon as the checksum is
> published it cannot be altered.

That's an interesting idea!

> If a package is removed entirely, any version numbers that have been used
> would need to be stored intenally to prevent a re-upload with the same name
> but a different checksum.
> The download tools would need to get the capability to verify the checksum.

I agree, and the upload tools would need support for this too.



More information about the Catalog-SIG mailing list