On Wed, 16 Jun 2010 03:44:05 am Jesus Cea wrote: > 2. Packages MUST be digitally signed. Ideally by the owner
-1 on requiring that by the package owner. While digitally signing packages is a good idea, the state of the art is not yet so simple that this will be anything but a barrier to entry to the average Python developer. Not to mention there are places in the world where effective encryption is illegal. > but at least by PYPI central node (current pypi server). Martin has said this is already planned, and linked here: http://mail.python.org/pipermail/catalog-sig/2009-March/002018.html Has anyone considered whether there are any legal implications of this? A digital signature is not an MD5 checksum, it may have actual legal meaning in many countries equivalent to a pen and paper signature. IANAL but I do not believe that it is a good idea to be signing arbitrary packages without knowing what they are (other than "a bunch of bytes uploaded from some arbitrary IP address") any more than I would put my physical signature on a parcel handed to me by some random person at the airport. I would not be digitally signing anything I didn't create unless I had good legal advice that it was safe to do so. -- Steven D'Aprano _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
