[Distutils] What to do about the PyPI mirrors

Noah Kantrowitz noah at coderanger.net
Tue Aug 6 09:19:51 CEST 2013

On Aug 6, 2013, at 12:10 AM, holger krekel <holger at merlinux.eu> wrote:

> On Mon, Aug 05, 2013 at 23:49 -0700, Noah Kantrowitz wrote:
>> On Aug 5, 2013, at 11:09 PM, Christian Theune <ct at gocept.com> wrote:
>> (...)
>> Between now and the first DNS change, I would absolutely recommend any
>> current public mirrors to redirect users to their new domain name if
>> they intend to have one, and we'll do whatever we can to help make
>> users aware of the switch. I would rather have a clear timeline with
>> fewer steps than add another stage where we (PSF) are issuing
>> redirects to non-PSF servers. Very very +1 on the easier
>> bandersnatch-ing though, I really would love to see more mirrors out
>> there, I just don't want them associated with PyPI or python.org, and
>> I don't want pip to be trying to auto-discover them.
> PyPI mirrors _are_ associated with PyPI and pypi.python.org.
> (Why) Do do want to flatly rule out pip/pypi.python.org support
> for managing mirrors?
> The perl CPAN mirroring provides this nice little machine-readable file:
>    http://www.cpan.org/indices/mirrors.json
> and a python-equivalent could be consumed by pip, i guess.

Because at this time there is no Python package installer that can install from a public mirror in a way that makes me comfortable supporting it as an official resource. This could be addressed in pip by verifying the /simple  signatures, but this mostly precludes improved mirroring mechanisms like that used by Crate. More to the point, I as the head of infrastructure am responsible for *.python.org, but if there is an issue with a mirror, be it downtime, server compromise, or anything else, me and my team can't do anything to fix that. This is, again, not a situation I am comfortable with.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130806/798d27ef/attachment.pgp>

More information about the Distutils-SIG mailing list