On Thu, Mar 14, 2013 at 12:54 AM, M.-A. Lemburg <m...@egenix.com> wrote: > The index itself is just a bag of things and, as such, one that's very > well suited to publish data, since it can easily be exposed in form > of static files, which can be put on a CDNs or mirrored using > rsync.
The TUF metadata is also just a collection of static files which can be put on CDNs and mirrored using rsync. That's one of the reasons TUF is an interesting approach :) > It's easy to add the metadata file to that index for tools to > pick up - in addition to the other data exposed on the index > pages and perfectly backwards compatible. > > As mentioned before, I think we should start publishing the > existing metadata stored in the PyPI database on those > index pages as PKG-INFO files, so that tools can easily > access the data without having to go through XML-RPC. Yes, I think that's a good near term approach. However, there's still a lot of duplication of functionality between the TUF metadata and the simple index, so if we get TUF-based security up and running, my long term aim will be to make it so that once you have downloaded the TUF metadata, you shouldn't *need* anything from the simple index, and would be able to go directly to downloading the release files. That's a longer term idea, though and we may even decide it isn't worth the hassle if PKG-INFO is made available through /simple. Cheers, Nick. -- Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig