[Python-Dev] Signed packages
Alexandre Zani
alexandre.zani at gmail.com
Fri Jun 22 19:09:22 CEST 2012
On Fri, Jun 22, 2012 at 9:56 AM, Donald Stufft <donald.stufft at gmail.com> wrote:
> On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote:
>
>
> Key distribution is the real issue though. If there isn't a key
> distribution infrastructure in place, we might as well not bother with
> signatures. PyPI could issue x509 certs to packagers. You wouldn't be
> able to verify that the name given is accurate, but you would be able
> to verify that all packages with the same listed author are actually
> by that author.
>
> I've been sketching out ideas for key distribution, but it's very much
> a chicken and egg problem, very few people sign their packages (because
> nothing uses it currently), and nobody is motivated to work on
> infrastructure
> or tooling because no one signs their packages.
Are those ideas available publicly? I would love to chip in.
More information about the Python-Dev
mailing list