On 07/18/2013 09:34 AM, Justin Cappos wrote:
My impression is this only holds for things signed directly by PyPI because the developers have not registered a key. I think that developers who register keys won't have this issue. Let's talk about this when you return, but it's really projects / developers that will be stable in the common case, not packages, right?
Yes, developers who register keys and have the stable role delegate their packages to themselves will not have this issue.
When I say "package", I mean what gets downloaded and installed when pip goes to PyPI to get a package with exactly the given name. I am not aware of a way to guide pip to install packages by projects (could you clarify what you mean by this?) or developers, but perhaps this might change in the future with PyPI metadata 2.0.
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
