[Distutils] Surviving a Compromise of PyPI - PEP 458 and 480
Paul Moore
p.f.moore at gmail.com
Fri Jan 2 12:04:40 CET 2015
On 2 January 2015 at 06:38, Donald Stufft <donald at stufft.io> wrote:
> Developer keys get signed by offline keys controlled by I’m guessing either
> myself or Richard or both.
One thought here. The issue being discussed here seems mainly to be
that it's hard to manage signing of developer keys. That's certainly
one issue, but another is that the signing process takes time. When I
set up my first project [1], I did so because I had an idea one
afternoon, knocked up the first draft and set up the project. If there
had been a delay of a week because you and Richard were both on
holiday (or even a day, because of timezones) I may not have bothered
- I tend to only have the opportunity to work on things for Python in
pretty short bursts.
You could argue that we don't want projects on PyPI that have been set
up with so little preparation - it's a valid position to take - but
that's a separate matter. I just want to make the point that
management isn't the only issue here. Turnaround time is also a
barrier to entry that needs to be considered. And not every project
that people want to publish is something major like requests or
django...
Paul
[1] I assume I only need to set up a key once, for my PyPI account. If
I need an individual key per project, the cost multiplies. And it
means that the barrier is to all new projects, rather than merely to
attracting new developers.
More information about the Distutils-SIG
mailing list