[Distutils] [tuf] Re: Automation for creating, updating and destroying a TUF-secured PyPI mirror
Daniel Holth
dholth at gmail.com
Tue Apr 9 13:47:54 CEST 2013
What size keys?
On Apr 9, 2013 1:23 AM, "Trishank Karthik Kuppusamy" <tk47 at students.poly.edu>
wrote:
> On 4/9/13 1:17 AM, Justin Cappos wrote:
>
>> His 29MB and 58MB numbers assume that every developer has their own key
>> right now. We don't think this is likely to happen and propose
>> initially signing everything that the developers don't sign with a
>> single PyPI key.
>>
>> It also assumes there are no abandoned packages / devel account. I
>> also think many devels won't go back and sign all old versions of their
>> software. So my number is definitely a back of the envelope
>> calculation using Trishank's data. Trishank's calculations are much
>> more expressive, but are the "worst case" size.
>>
>
> Correct. Justin based his back-of-the-envelope calculation on some very
> rough prior estimates of mine, so they may be a little off. Nevertheless,
> our argument remains: sharing a key across, say, a thousand packages will
> certainly reduce the metadata by quite a bit. Combine that with compression
> or difference schemes, and you get even more savings.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130409/a98a1d05/attachment.html>
More information about the Distutils-SIG
mailing list