Am 28.04.2011 10:26, schrieb M.-A. Lemburg: > "Martin v. Löwis" wrote: >> I came up with a key rollover scheme for the server key on PyPI. >> [...] >> >> The key rollover will be logged in the PyPI journal, >> using an empty package name and an empty release. TOOLS USING >> THE JOURNAL MAY NEED TO BE FIXED TO ACCOMMODATE EMPTY PACKAGE >> NAMES. Earlier today, such a journal entry was already added; >> I took it out again when I noticed that some tools actually >> do need to be fixed. > > I can't comment on the other parts of the proposal, but the above > suggestions doesn't sound like a good solution: an empty package > name in the update stream looks more like a server or client > decoding bug than a trigger to do a key update.
Oops, I forgot a critical detail: the "action" string in the journal entry would be "keyrotate". > Wouldn't it be better to use a descriptive package name such > as "pypi-serverkey-update" together with a package version > which identifies the new serverkey version as trigger ? That would not be good - tools would (rightly) assume that there is a package with that name, and try to mirror it. Regards, Martin _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
