On July 28, 2014 at 6:24:06 PM, Giovanni Bajo (ra...@develer.com) wrote: > > I haven’t fully-fledged the details yet. Technically, when > you revoke a key, you declare the date from which the key was compromised; > everything signed before that date is still considered valid, > so there is no need to resign releases that predates the compromisation. > > My idea would be that PyPI would have a background job which routinely > checks for revoked keys; when it finds one, it automatically > deassociates it from the maintainers account, and removes (hides?) > any package whose signature is not valid anymore. The maintainer > would then have to login to PyPI, register a new GPG fingerprint, > and resign releases which were disabled.
I didn’t read everything else yet, but no. That’s not how revocation works. Expiration != Revocation. If a key is revoked it is no longer trusted, for anything, ever. -- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
