On July 28, 2014 at 7:37:14 PM, Nick Coghlan (ncogh...@gmail.com) wrote: > > 1. People like Donald, Ernest, Richard Noah (i.e. PyPI and infrastructure > admins) are part of the threat model for PEP 458. How does your PEP defend > against full compromise of those accounts?
Quick clarification, PEP 458 trusts *someone*, most likely the PyPI admins who hold the ultimate trust root and who does the signing of the claimed roles periodically. However if I recall it has provisions that allow N of M requirements so we can opt to require more than one of those key holders to do the actual signing. -- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
