On Tue, Feb 5, 2013 at 10:13 PM, Giovanni Bajo <[email protected]> wrote: >> - An uploader must be able to revoke her keys from PyPI without >> access to her private key. > > This is already implemented, an user can modify her listed GPG fingerprint. > This is not different from, eg:, the page that allows a github user to > install and revoke SSH keys.
What happens with the signed packages (s)he already uploaded? How do they get verified on download of the original key is gone? //Lennart _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
