[Catalog-sig] [Draft] Package signing and verification process
Lennart Regebro
regebro at gmail.com
Wed Feb 6 20:04:36 CET 2013
On a general note:
Trust in keys is a hard problem which people have tried to solve for
20-30 years now. We are not going to solve it here and now.
The only path forward when it comes to keys and signatures is that we
ask people to trust a central key source. This is not a perfect
solution, but the only one that is practical and feasible right now.
Personally, I also see package signing as a "high-hanging fruit" in
the security issues regarding the current state of Python packaging.
In the interest of security and efficiency we should concentrate on
the low-hanging fruits first.
//Lennart
More information about the Catalog-SIG
mailing list