Why not just use gpg signatures and maintain trusted signing keys? There’s no reason to reinvent the wheel. If a user wants to use a unsigned or untrusted packages, they have to accept the risk.
Thanks, Greg On Wed, Jul 5, 2023 at 2:05 PM Chris Angelico <ros...@gmail.com> wrote: > On Thu, 6 Jul 2023 at 03:57, James Addison via Python-ideas > <python-ideas@python.org> wrote: > > I also agree with a later reply about avoiding the murkier side of > blockchains / etc. That said, it seems to me (again, sample size one > anecdata) that creating a more levelled playing field for package > publication could benefit from the use of some distributed technologies. > Even HTTP mirrors are, arguably, a basic form of that.. there's at least > one question related to recency of data, though. Delaying availability of > a package to an audience -- if it's important enough -- could under some > circumstances become effectively similar to censorship. > > > > A blockchain won't solve anything here. It would be completely and > utterly impractical to put the packages themselves into a blockchain, > so all you'd have is the index, and that means it's just a bad version > of PyPI's own single-page index. > > ChrisA > _______________________________________________ > Python-ideas mailing list -- python-ideas@python.org > To unsubscribe send an email to python-ideas-le...@python.org > https://mail.python.org/mailman3/lists/python-ideas.python.org/ > Message archived at > https://mail.python.org/archives/list/python-ideas@python.org/message/PTIS3HZHJSFV7ETWE7UP4HKXS4WN2OEO/ > Code of Conduct: http://python.org/psf/codeofconduct/ >
_______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/NYQSV7RO3GKE7272WZQ7VSIASNYKITMI/ Code of Conduct: http://python.org/psf/codeofconduct/
