Not at the moment, but I could gather them up and make them public later today. They are very rough draft at the moment.
On Friday, June 22, 2012 at 1:09 PM, Alexandre Zani wrote: > On Fri, Jun 22, 2012 at 9:56 AM, Donald Stufft <donald.stu...@gmail.com > (mailto:donald.stu...@gmail.com)> wrote: > > On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote: > > > > > > Key distribution is the real issue though. If there isn't a key > > distribution infrastructure in place, we might as well not bother with > > signatures. PyPI could issue x509 certs to packagers. You wouldn't be > > able to verify that the name given is accurate, but you would be able > > to verify that all packages with the same listed author are actually > > by that author. > > > > I've been sketching out ideas for key distribution, but it's very much > > a chicken and egg problem, very few people sign their packages (because > > nothing uses it currently), and nobody is motivated to work on > > infrastructure > > or tooling because no one signs their packages. > > > > > Are those ideas available publicly? I would love to chip in.
_______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com