1. setuptools& friends: Support for retrying several mirrors if first try fails.
That's the part that still needs to be implemented.
2. Packages MUST be digitally signed. Ideally by the owner, but at least by PYPI central node (current pypi server). That way, a "rogue" mirror can't distribute trojans.
That is already part of the mirroring infrastructure (although still not explained in PEP 381 yet).
3. Trusting the stats is not possible :(, if there are "rogue" mirrors.
That's true. Regards, Martin _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
