[issue11357] Add support for PEP 381 -- Mirror Authenticity

[Alexis Metaireau]

Alexis Metaireau <alexis at notmyidea.org> added the comment:

Some nitpicks:

In mirrors.get_server_key, the documentation is not up to date with your last changes (raises an error if there is a problem instead of returning None)

You do use the name 'package' while talking about distributions or projects. Please be sure to use the right one on the right place (in your case, that's a project). A project (Django) contains releases (Django 1.1, 1.2, 1.3?) which contains distributions (sdist, bdist).

The "verify_package" name could probably be changed in "is_trustable" or something like that, or raise an error (Otherwise, one can use verify_package thinking that it will actually check for something, without looking at the return value).

In the documentation, you've mainly copy/pasted the PEP and provided examples on how to do the authenticity check with distutils2. 

While the second part is fine, I think that duplicating the PEP content on the documentation is probably an error: If the PEP changes, then the distutils2 documentation have to change as well. You probably can just refer on the PEP with a link.

Adding informations on where did you find the sources of verify.py could be nice as well.

Again, thanks for your work !

----------

_______________________________________
Python tracker <report at bugs.python.org>
<http://bugs.python.org/issue11357>
_______________________________________