Donald Stufft wrote: > On Tuesday, November 20, 2012 at 3:41 AM, M.-A. Lemburg wrote: >> For the second requirement, updating the .asc file would be >> a solution. Alternatively, the packagers could check the revocation >> date and then still allow packages to be installed which were signed >> before the revocation happened. > > No, if a key is revoked it can no longer be used. I may discover that > my key has been compromised months after it was actually compromised > I would then revoke it. I have no idea if the person who (in the hypothetical) > signed any packages with my key, or for how long they've been doing so. > > Once a key is revoked you must not trust it for anything.
Good point, even though that makes it very difficult to deal with the validity of signatures on older packages - the package author may no longer be in possession of the needed bits to sign those packages again or do a re-upload. Hmm, perhaps just signing the hash value is good enough. Those would be stored on PyPI and remain accessible. I wonder how systems like Debian or the various RPM-based ones deal with the problem. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
