> fwiw Crate verifies the md5 hashes that the simple api gives for > each package. I think not doing that should be considered wrong. > (it's considered important for clients to check the checksum of > packages they download, but mirrors that are going to be > redistributing their files to clients this isn't important? Seems to > be a disconnect between the thoughts).
I think this is a quality-of-implementation issue. They could verify the md5; they could also verify the serversig. Some do, some don't. Or they could claim they do but actually don't. Ultimately, clients either need to trust the mirror, or do the verification themselves. Regards, Martin _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
