Am 05.02.2013 23:41, schrieb Lennart Regebro: > On Tue, Feb 5, 2013 at 10:13 PM, Giovanni Bajo <[email protected]> wrote: >>> - An uploader must be able to revoke her keys from PyPI without >>> access to her private key. >> >> This is already implemented, an user can modify her listed GPG fingerprint. >> This is not different from, eg:, the page that allows a github user to >> install and revoke SSH keys. > > What happens with the signed packages (s)he already uploaded? How do > they get verified on download of the original key is gone?
Long story short: They can't. When a key is revoked you can no longer trust any signature made with that key. When a user/key is removed/revoked from the system then all signatures are invalidated. You have to keep in mind that key revocation and key expiration are two different things. A user can disable or expire a key. Old signatures stay valid but the key can no longer be used to sign packages after the expiration date. _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
