On Sun, Jun 2, 2013 at 10:09 PM, Donald Stufft <[email protected]> wrote: > If we deploy some sort of end to end signing I think TUF is a good > implementation of it. > > I'm not sold on the possibility of reasonably doing end to end signing here > though.
I think in the long run it's a technology we want to offer, but even with it deployed PyPI would continue to act as a trusted intermediary in most cases. Effective key management is such a PITA that only a few larger projects would be in a real position to take direct advantage of end-to-end signing - for the remaining projects, trusting PyPI not to get compromised is already the status quo. Cheers, Nick. -- Nick Coghlan | [email protected] | Brisbane, Australia _______________________________________________ Distutils-SIG maillist - [email protected] http://mail.python.org/mailman/listinfo/distutils-sig
