-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 15/06/10 14:20, Michael Crute wrote: > What about a set of volunteer mirrors of PyPi similar to the way CPAN > and Linux distributions handle this problem. pypi.python.org? That > approach eliminates any cost for the PSF and might ultimately result > in better reliability. With the volunteer mirror system you would > still statically generate the files and just make them available for > rsync then setup a page to allow mirrors to register (see CPAN). If > you take this approach I would be happy to donate a mirror to the > pool.
I would rather prefer this approach, actually. With the following changes in current code: 1. setuptools & friends: Support for retrying several mirrors if first try fails. 2. Packages MUST be digitally signed. Ideally by the owner, but at least by PYPI central node (current pypi server). That way, a "rogue" mirror can't distribute trojans. 3. Trusting the stats is not possible :(, if there are "rogue" mirrors. - -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ [email protected] - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:[email protected] _/_/ _/_/ _/_/_/_/_/ . _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQCVAwUBTBe75Zlgi5GaxT1NAQLnawP+J4Cb6ywGCpIEOsD1L4mbUTfnWnh9X59T zxTjxbEdCaZrbLgY2KuAAoAdSocmrQFhX/zfeMxEpoilnLH2mZknM+Bb6icNAzbR JFYDmfu7QPhUjPrNgFlQhXQsuuMnpNEzTv3yINmjKZg2OYwU7BhbolFKrAGF+b+5 kKmnwWjTju0= =rQh4 -----END PGP SIGNATURE----- _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
