On Saturday, February 9, 2013 at 4:23 PM, Giovanni Bajo wrote: > Hello, > > my proposal for fixing PyPI and pip security is here: > https://docs.google.com/a/develer.com/document/d/1DgQdDCZY5LiTY5mvfxVVE4MTWiaqIGccK3QCUI8np4k/edit# > > I tried to sum up the discussions we had here last week, elaborating on > Heimes' proposal by simplifying it where I thought the additional steps > wouldn't guarantee additional security. At this point, the proposal does not > include a central, uber-master online GPG signing key to be stored on PyPI, > which is IMO quite hard to handle correctly. > > Comments are welcome! > -- > Giovanni Bajo :: [email protected] (mailto:[email protected]) > Develer S.r.l. :: http://www.develer.com > > My Blog: http://giovanni.bajo.it > _______________________________________________ > Catalog-SIG mailing list > [email protected] (mailto:[email protected]) > http://mail.python.org/mailman/listinfo/catalog-sig > > > > > Attachments: > - smime.p7s >
Thanks for writing this up. I'll take a closer look at it later tonight (and i'm sure many other folks will as well!)
_______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
