[Distutils] [tuf] Re: Automation for creating, updating and destroying a TUF-secured PyPI mirror
Trishank Karthik Kuppusamy
tk47 at students.poly.edu
Tue Apr 9 07:23:24 CEST 2013
On 4/9/13 1:17 AM, Justin Cappos wrote:
> His 29MB and 58MB numbers assume that every developer has their own key
> right now. We don't think this is likely to happen and propose
> initially signing everything that the developers don't sign with a
> single PyPI key.
>
> It also assumes there are no abandoned packages / devel account. I
> also think many devels won't go back and sign all old versions of their
> software. So my number is definitely a back of the envelope
> calculation using Trishank's data. Trishank's calculations are much
> more expressive, but are the "worst case" size.
Correct. Justin based his back-of-the-envelope calculation on some very
rough prior estimates of mine, so they may be a little off.
Nevertheless, our argument remains: sharing a key across, say, a
thousand packages will certainly reduce the metadata by quite a bit.
Combine that with compression or difference schemes, and you get even
more savings.
More information about the Distutils-SIG
mailing list