On 11/19/12 10:37 PM, Daniel Holth wrote:
You misread my first message, I only suggested that PyPI would sign the public keys.
oh right, sorry
PyPI already signs each release for the mirrors (see PEP 381) - so it sounds feasible
On Mon, Nov 19, 2012 at 4:31 PM, Tarek Ziadé <[email protected] <mailto:[email protected]>> wrote:On 11/19/12 8:03 PM, Daniel Holth wrote:On Mon, Nov 19, 2012 at 1:45 PM, Tarek Ziadé <[email protected] <mailto:[email protected]>> wrote: On 11/19/12 7:43 PM, Daniel Holth wrote:If pypi would also sign the public key, and possibly the metadata for a particular release, that feature could be pretty cool.why pip ? It's the premier Python package manager. PyPI would sign the publisher's keys so that you could trust them without having to worry about the connection. You could mirror the expected keys this way. Key revocation is an unrelated issue. A revoked key is still revoked even if you can download a version of it that is not marked as revoked.But you don't upload packages on Pypi using Pip - since it's just the installer - So I don't get the workflow
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
