I read pep 381 long time ago and I don't remember how/when a mirror
would update, but I do remember it doesn't mandate digital signatures
(signed by pypi central node, verified by setuptools&friends). That is a
big gap, in my opinion.
The PEP doesn't explain the digital signing that is going on in
mirroring. See
http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html
This is fully implemented (except that client would need to verify the
signatures, and except key rollover hasn't happened yet).
Regards,
Martin
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
