[Distutils] What to do about the PyPI mirrors
jcappos at poly.edu
Tue Aug 6 15:13:25 CEST 2013
One means by which I could see an f.pypi.python.org DNS record being
> left in place indefinitely is if the TUF folks are able to come up
> with a scheme for offering end-to-end security for the *existing* PyPI
> metadata, *and* the TUF metadata is mirrored by bandersnatch *and* the
> TUF client side integrity checks are invoked by pip. In that case, the
> security argument regarding the lack of TLS on the subdomains would be
> rendered moot, and the backwards compatibility argument for keeping it
> active would win.
It seems like you've been reading our minds (or at least our mailing list)!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Distutils-SIG