On Thu, Jan 21, 2010 at 12:51 PM, M.-A. Lemburg <[email protected]> wrote: [..] > The problem gets real when putting the data up on the web for > users to download via a browser. If they then install directly from > the file without checking signatures, they can easily be tricked > into executing malware - and that would put the original author > of such a package into a pretty bad light. > > In any case, that was just a list of examples.
What about restricting the mirrors to the non web part in that case ? Because the mirroring infrastructure is really intended for what I would call a "professional" usage of PyPI, where it matters if it's down for some time. And this usage is always done through automated tools. If the PyPI *website* part is down for a while, it's a minor annoyance for people that are installing by clicking. Then, in a second phase, we could have a second mirroring level with a web part, and ask for the maintainer to sign a "mirror agreement" to make him responsible in case he's a bad guy, and make him/her acknowledge some PSF members maybe ? Because the people that are willing to maintain mirrors are respected/known developers. But the latter is not really what we need for our everyday work. Regards, Tarek -- Tarek Ziadé | http://ziade.org _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
