Hey
I am currently writing a small script to verify that the gpg signature
is correct when the --sign option
is used with the Distutils upload command, and I was wondering why we
don't publish the public key
alongside the .asc file.
Right now, unless I missed something, to verify a signature the user has
to manually get the public key before she
can control the tarball.
Wouldn't it make sense to modify the upload command and add a .pubkey
file alongside the archive file
and the .asc file on PyPI ? (since we don't have a notion of team/users
etc.)
Cheers
Tarek
_______________________________________________
Catalog-SIG mailing list
[email protected]
http://mail.python.org/mailman/listinfo/catalog-sig
