[Catalog-sig] pre-PEP: transition to release-file hosting at pypi site

[Daniel Holth]

It will probably wind up working more like every other package manager
I'm familiar with, where you have a "sources.d" that lists the
repositories you would like to search. Use Plone, add their repository
to the list.

We also seem to be making good progress on "contact the central
repository much less often" by keeping local copies of the packages
you actually need. The most frustrating thing about pypi being down
was that you already had a virtualenv with all the packages you
actually needed, but maybe you couldn't re-install them elsewhere
without contacting pypi again.

Wheel signatures are handy because they travel with the archive but
the eventual security system will probably look very different, at
most taking advantage of the feature when available but doing
something else for sdists. The trust chain is the tricky part.