Right, but then we are again back to trusting a central authority, in this case plone.org. If we can trust plone.org, why can't we trust Python.org?
Some people might be concerned that PyPI could have been hacked, spreading viruses. Only signing by the original author can detect this attack.
My suggestion earlier was that whatever system we have will by default trust python.org. Or heck, we can even let the tools ask if it should trust python.org. And then things are good.
That's pretty much the status quo, except that you need to verify that you really "got" the package from python.org. For that, either a validation of the (existing) SSL server certificate, or the validation of the (existing) master mirror signatures would be sufficient. Regards, Martin _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
