> On Jan 2, 2015, at 10:51 AM, Nick Coghlan <ncogh...@gmail.com> wrote: > > Getting them to manage additional keys, and get them signed and registered > appropriately, and then supplying them is going to be a similar amount of > work, and the purpose is far more cryptic and confusing. My proposal is > basically that instead of asking developers to manage signing keys, we should > instead be ask them to manage account on a validation server (or servers).
I need to think more about the rest of what you’ve said (and I don’t think it’s a short term problem), but I just wanted to point out that “managing keys” can be as simple as “create a secondary pass(word|phrase) and remember it/write it down/whatever”. It doesn’t need to be “secure this file and copy it around to all of your computers”. Likewise there’s no reason that “delegate authority to someone else” can’t be something like ``twine add-maintainer pip pfmoore``. --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig