On 11/19/12 7:43 PM, Daniel Holth wrote:
If pypi would also sign the public key, and possibly the metadata for a particular release, that feature could be pretty cool.
why pip ?
On Mon, Nov 19, 2012 at 1:37 PM, Tarek Ziadé <[email protected] <mailto:[email protected]>> wrote:Hey I am currently writing a small script to verify that the gpg signature is correct when the --sign option is used with the Distutils upload command, and I was wondering why we don't publish the public key alongside the .asc file. Right now, unless I missed something, to verify a signature the user has to manually get the public key before she can control the tarball. Wouldn't it make sense to modify the upload command and add a .pubkey file alongside the archive file and the .asc file on PyPI ? (since we don't have a notion of team/users etc.) Cheers Tarek _______________________________________________ Catalog-SIG mailing list [email protected] <mailto:[email protected]> http://mail.python.org/mailman/listinfo/catalog-sig
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
