On Jul 16, 2013, at 5:19 AM, holger krekel <hol...@merlinux.eu> wrote:
> > I am considering implementing gpg-signing and verification of release files > for devpi. Rather than requiring package authors to sign their release > files, i am pondering a scheme where anyone can vet for a particular > published release file by publishing a signature about it. This aims > to help responsible companies to work together. I've heart from devops/admins > that they manually download and check release files and then install > it offline after some vetting. Wouldn't it be useful to turn this > into a more collaborative effort? > > Any thoughts or pointers to existing efforts within the (Python) > packaging ecologies? > > best, > holger > > _______________________________________________ > Distutils-SIG maillist - Distutils-SIG@python.org > http://mail.python.org/mailman/listinfo/distutils-sig So I'm not entirely sure what your goals are here. What exactly are you verifying? What is going to verify signatures once you have a (theoretically) trusted set? What is going to keep a malicious actor from poisoning the well? ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig