On Monday, April 16, 2012 at 6:22 PM, "Martin v. Löwis" wrote: > > fwiw Crate verifies the md5 hashes that the simple api gives for > > each package. I think not doing that should be considered wrong. > > (it's considered important for clients to check the checksum of > > packages they download, but mirrors that are going to be > > redistributing their files to clients this isn't important? Seems to > > be a disconnect between the thoughts). > > > > > I think this is a quality-of-implementation issue. They could verify > the md5; they could also verify the serversig. Some do, some don't. > Or they could claim they do but actually don't. Ultimately, clients > either need to trust the mirror, or do the verification themselves. > >
Yea ultimately the clients will need to do the verification themselves, I only meant to have somewhat more useful mirrors (corrupted data, bugs in scripts, etc) it would make sense for mirrors to verify that the data they are getting is the data they are expecting so they don't serve bad data. While a verifying client won't be affected by that bad data, it does lower the overall availability for that file. > > Regards, > Martin > >
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
