I was more pushing for the transitive trust element than signing. That being said, any signing at all would be progress.
On Jun 1, 2017 9:07 PM, "Donald Stufft" <[email protected]> wrote: On Jun 1, 2017, at 8:15 PM, Matt Joyce <[email protected]> wrote: Or start doing signed pgp for package maintainers and build a transitive trust model. PGP is not useful for our use case except as a generic crypto primitive, and there are better generic crypto primitives out there. See https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/ — Donald Stufft
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
