Martijn Faassen <[email protected]> wrote: > On 02/06/2012 09:08 PM, Stefan Krah wrote: >> I don't see any inconvenience since bytereef.org has a comparable >> uptime to python.org. > > I've experienced a site which was hosting a Python package which had > awesome uptime, but then something was screwed up about the security of > the host at some point and while it remained up, it took forever > (months? years?) to get resolved.
And? I'm not exactly unreachable and I doubt there will be a security problem. Furthermore I'm posting the sha256sums of the packages in the announcements, so they are archived on several mailing lists. For the general case I'd suggest that PyPI gives an author the option to tie an sha256sum to a package version *once*. This leaves an opportunity to correct a release (recent discussion), but as soon as the checksum is published it cannot be altered. If a package is removed entirely, any version numbers that have been used would need to be stored intenally to prevent a re-upload with the same name but a different checksum. The download tools would need to get the capability to verify the checksum. Stefan Krah _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
