> On Jun 1, 2017, at 8:15 PM, Matt Joyce <[email protected]> wrote: > > Or start doing signed pgp for package maintainers and build a transitive > trust model. >
PGP is not useful for our use case except as a generic crypto primitive, and there are better generic crypto primitives out there. See https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/ <https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/> — Donald Stufft
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
