On Fri, Jun 22, 2012 at 9:35 AM, Donald Stufft <donald.stu...@gmail.com> wrote: > Ideally authors will be signing their packages (using gpg keys). Of course > how to distribute keys is an exercise left to the reader.
Key distribution is the real issue though. If there isn't a key distribution infrastructure in place, we might as well not bother with signatures. PyPI could issue x509 certs to packagers. You wouldn't be able to verify that the name given is accurate, but you would be able to verify that all packages with the same listed author are actually by that author. > > On Friday, June 22, 2012 at 11:48 AM, Vinay Sajip wrote: > > <martin <at> v.loewis.de> writes: > > > See above. Also notice that such signing is already implemented, as part > of PEP 381. > > > BTW, I notice that the certificate for https://pypi.python.org/ expired a > week > ago ... > > Regards, > > Vinay Sajip > > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/donald.stufft%40gmail.com > > > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > http://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > http://mail.python.org/mailman/options/python-dev/alexandre.zani%40gmail.com > _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
