Sorry, if this has already been mentioned, but we could make GPG signing very user friendly for the PyPI users by:
- having the PyPI server verify the uploaded file against the registered GPG key of the uploader - have the PyPI server sign the uploaded file using its own key (so you have two .asc signature files per upload - one coming directly from the uploader and another one from the PyPI server) - have package managers verify the downloaded file against the signature applied by PyPI Package managers would only have to know the PyPI public key for this to work. Users who want to apply an extra check, could also verify the uploader's .asc signature file, but this would require downloading and installing the uploader's GPG key; in return for the extra work, they'd get two way verification, though. The concept is based on trust: PyPI trusts the uploader provided that s/he is using the registered GPG key. Package managers (and users) trust PyPI. -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Feb 07 2013) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::::: Try our mxODBC.Connect Python Database Interface for free ! :::::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
