On Wed, Feb 6, 2013 at 12:03 PM, Christian Heimes <[email protected]> wrote: > Am 05.02.2013 23:41, schrieb Lennart Regebro: >> On Tue, Feb 5, 2013 at 10:13 PM, Giovanni Bajo <[email protected]> wrote: >>>> - An uploader must be able to revoke her keys from PyPI without >>>> access to her private key. >>> >>> This is already implemented, an user can modify her listed GPG fingerprint. >>> This is not different from, eg:, the page that allows a github user to >>> install and revoke SSH keys. >> >> What happens with the signed packages (s)he already uploaded? How do >> they get verified on download of the original key is gone? > > Long story short: They can't. > > When a key is revoked you can no longer trust any signature made with > that key. When a user/key is removed/revoked from the system then all > signatures are invalidated. > > You have to keep in mind that key revocation and key expiration are two > different things. A user can disable or expire a key. Old signatures > stay valid but the key can no longer be used to sign packages after the > expiration date.
Right, and the suer should be able to revoke it as well, but they then need to understand that all their old packages will become invalid, and that this should only be done if the key has been stolen. //Lennart _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
