Two more things: why is the CDN not suffering from the security problems you describe for the mirrors? a) Fastly seems to be the one owning the certificate for pypi.python.org. What?!? b) What does stop Fastly from introducing incorrect/rogue code in package downloads? Christian