On 02/06/2012 10:35 PM, Stefan Krah wrote:
Martijn Faassen<[email protected]> wrote:
On 02/06/2012 09:08 PM, Stefan Krah wrote:
I don't see any inconvenience since bytereef.org has a comparable
uptime to python.org.
I've experienced a site which was hosting a Python package which had
awesome uptime, but then something was screwed up about the security of
the host at some point and while it remained up, it took forever
(months? years?) to get resolved.
And? I'm not exactly unreachable and I doubt there will be a security problem.
Furthermore I'm posting the sha256sums of the packages in the announcements,
so they are archived on several mailing lists.
Taking you out of the picture, if there are 2 sites that I need to rely
on, both with equally great uptime and security and reachability, the
chances of problems at any given time is higher than if I just had to
rely on 1 such site.
Multiple sites can only increase reliability if they both provide the
same services.
I'm not telling you that you shouldn't be hosting your stuff. I'm saying
that in general people hosting their own stuff, while entirely within
their rights, is less great for users.
For the general case I'd suggest that PyPI gives an author the option to
tie an sha256sum to a package version *once*. This leaves an opportunity
to correct a release (recent discussion), but as soon as the checksum is
published it cannot be altered.
That's an interesting idea!
If a package is removed entirely, any version numbers that have been used
would need to be stored intenally to prevent a re-upload with the same name
but a different checksum.
The download tools would need to get the capability to verify the checksum.
I agree, and the upload tools would need support for this too.
Regards,
Martijn
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
