[Catalog-sig] Publishing metadata (was: V2 pre-PEP: transitioning to release file hosting on PYPI)

Nick Coghlan ncoghlan at gmail.com
Thu Mar 14 15:45:23 CET 2013

On Thu, Mar 14, 2013 at 12:54 AM, M.-A. Lemburg <mal at egenix.com> wrote:
> The index itself is just a bag of things and, as such, one that's very
> well suited to publish data, since it can easily be exposed in form
> of static files, which can be put on a CDNs or mirrored using
> rsync.

The TUF metadata is also just a collection of static files which can
be put on CDNs and mirrored using rsync. That's one of the reasons TUF
is an interesting approach :)

> It's easy to add the metadata file to that index for tools to
> pick up - in addition to the other data exposed on the index
> pages and perfectly backwards compatible.
> As mentioned before, I think we should start publishing the
> existing metadata stored in the PyPI database on those
> index pages as PKG-INFO files, so that tools can easily
> access the data without having to go through XML-RPC.

Yes, I think that's a good near term approach. However, there's still
a lot of duplication of functionality between the TUF metadata and the
simple index, so if we get TUF-based security up and running, my long
term aim will be to make it so that once you have downloaded the TUF
metadata, you shouldn't *need* anything from the simple index, and
would be able to go directly to downloading the release files. That's
a longer term idea, though and we may even decide it isn't worth the
hassle if PKG-INFO is made available through /simple.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia

More information about the Catalog-SIG mailing list