Am 23.06.12 14:03, schrieb mar...@v.loewis.de:
I'm surprised gpg hasn't been mentioned here. I think these are all
solved problems, most free software that is signed signs it with the
gpg key of the author. In that case all that is needed is that the
cheeseshop allows the uploading of the
Zitat von Hynek Schlawack h...@ox.cx:
Am 23.06.12 14:03, schrieb mar...@v.loewis.de:
I'm surprised gpg hasn't been mentioned here. I think these are all
solved problems, most free software that is signed signs it with the
gpg key of the author. In that case all that is needed is that the
On 22 June 2012 17:56, Donald Stufft donald.stu...@gmail.com wrote:
On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote:
Key distribution is the real issue though. If there isn't a key
distribution infrastructure in place, we might as well not bother with
signatures. PyPI could issue
Oh sorry, having read the thread this spawned from I see you're taking
about MS Windows singed binaries. Something I know next to nothing
about, so ignore my babbling.
On 23 June 2012 11:52, Floris Bruynooghe f...@devork.be wrote:
On 22 June 2012 17:56, Donald Stufft donald.stu...@gmail.com
I'm surprised gpg hasn't been mentioned here. I think these are all
solved problems, most free software that is signed signs it with the
gpg key of the author. In that case all that is needed is that the
cheeseshop allows the uploading of the signature.
For the record, the cheeseshop has been
Zitat von Antoine Pitrou solip...@pitrou.net:
On Fri, 22 Jun 2012 12:27:19 +0100
Paul Moore p.f.mo...@gmail.com wrote:
Signed binaries may be a solution. My experience with signed binaries
has not been exactly positive, but it's an option. Presumably PyPI
would be the trusted authority?
martin at v.loewis.de writes:
See above. Also notice that such signing is already implemented, as part
of PEP 381.
BTW, I notice that the certificate for https://pypi.python.org/ expired a week
ago ...
Regards,
Vinay Sajip
___
Python-Dev
Ideally authors will be signing their packages (using gpg keys). Of course
how to distribute keys is an exercise left to the reader.
On Friday, June 22, 2012 at 11:48 AM, Vinay Sajip wrote:
martin at v.loewis.de (http://v.loewis.de) writes:
See above. Also notice that such signing is
On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote:
Key distribution is the real issue though. If there isn't a key
distribution infrastructure in place, we might as well not bother with
signatures. PyPI could issue x509 certs to packagers. You wouldn't be
able to verify that the
Not at the moment, but I could gather them up and make them public later today.
They
are very rough draft at the moment.
On Friday, June 22, 2012 at 1:09 PM, Alexandre Zani wrote:
On Fri, Jun 22, 2012 at 9:56 AM, Donald Stufft donald.stu...@gmail.com
(mailto:donald.stu...@gmail.com) wrote:
10 matches
Mail list logo
