[Distutils] What to do about the PyPI mirrors
Justin Cappos
jcappos at poly.edu
Tue Aug 6 15:13:25 CEST 2013
One means by which I could see an f.pypi.python.org DNS record being
> left in place indefinitely is if the TUF folks are able to come up
> with a scheme for offering end-to-end security for the *existing* PyPI
> metadata, *and* the TUF metadata is mirrored by bandersnatch *and* the
> TUF client side integrity checks are invoked by pip. In that case, the
> security argument regarding the lack of TLS on the subdomains would be
> rendered moot, and the backwards compatibility argument for keeping it
> active would win.
>
It seems like you've been reading our minds (or at least our mailing list)!
Thanks,
Justin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130806/daa74de0/attachment.html>
More information about the Distutils-SIG
mailing list