On Tuesday, February 5, 2013 at 9:05 AM, M.-A. Lemburg wrote: > Hmm, packages aren't validated on PyPI either. You'd need an appstore > team for that :-) > > Note that file storage itself can be insecure without any problem. > You only have to make sure that the file's contents of the downloaded > version matches the one that the author registered with PyPI (and, of > course, you have to make that registration process secure), regardless > of where you downloaded it from. > > IMO, PyPI would scale a lot better if it were to only manage the > meta data and security aspect of the package distribution and not > also deal with distribution of the files themselves, but yeah, that's > a different discussion ;-)
Validated is probably the wrong word. But I can get an audit log of everything that's been done to a package on PyPI (and in the future I hope an audit log that can't easily be tampered with). It's also a single point to keep secure instead of PyPI + whatever servers the authors of packages happened to have shoved their stuff on. It's also a single point to keep running. More than one problem with shitty hosts has been solved by me telling people to use the simple index on Crate that excludes external packages. If every package author hosts their own packages and I have 20 dependencies, and every server has a theortical 99% uptime (may be more, may be less, just a hypothetical number) by expected average uptime for me to install those 20 dependencies is `0.99**21` or roughly 81%. A similar (but much harder to quantify) effect will happen with security. However we already have a SPOF for both uptime and security with PyPI so attempting to limit us to 1 SPOF instead of 1 + number_of_packages_i_need is a net win AND it makes it easier to get rid of the SPOF either by using a CDN, using mirrors, or both. The required storage will go up sure, I'm going to assert that egenix is in the minority for having quite that large of a requirement but regardless storage itself is fairly cheap.
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
