On Tue, Jun 15, 2010 at 8:21 PM, Jesus Cea <j...@jcea.es> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 15/06/10 19:45, M.-A. Lemburg wrote:
>> Note that with community servers that only mirror once a day,
>> you'd have to wait up to a whole day for your package updates
>> to become visible worldwide.
>
> But TODAY mirror use is voluntary and per-user. That is, you use a
> mirror because you want, not because pypi is pushing you around
> transparently. I don't use mirrors so far, because pypi inestability
> hasn't hit me so far, and because I don't "trust" mirrors (see next
> paragraph).
>
> I read pep 381 long time ago and I don't remember how/when a mirror
> would update, but I do remember it doesn't mandate digital signatures
> (signed by pypi central node, verified by setuptools&friends). That is a
> big gap, in my opinion.
You don't trust mirrors right now, but if they are listed at PyPI as
official mirrors,
that are managed by people that can be trusted as much as you can trust
the PyPI syadmin for instance, and much much more than the packages
you can download at PyPI.
Do you trust the package you are installing more than an "official"
mirror ? if so, why ?
Anyone can upload a package at PyPI with
os.system('rm -rf /')
in its setup.py...
Regards
Tarek
--
Tarek Ziadé | http://ziade.org
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
