On 3/13/13 9:19 PM, Daniel Holth wrote:
Thanks, yes. The individual .tar.gz distributions do contain PKG-INFO but we would eventually like to expose it in a more efficient way. Then to be suitably paranoid you would also have to check that it matched the package you downloaded! :(
Great, glad we could help. Well, at least the paranoid would just need an extra download :))
Also note that on http://crate.io the simple index works the same way as on pypi, except that the actual packages are on a different (CDN) host.
Got it. I'll take a look at crate.io to see how it works. Conceivably, the TUF metadata and the PyPI files could live in separate locations altogether and we would just have to check that the TUF metadata matches the PyPI files.
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
