[Python-Dev] Signed packages
Donald Stufft
donald.stufft at gmail.com
Fri Jun 22 19:11:34 CEST 2012
Not at the moment, but I could gather them up and make them public later today. They
are very rough draft at the moment.
On Friday, June 22, 2012 at 1:09 PM, Alexandre Zani wrote:
> On Fri, Jun 22, 2012 at 9:56 AM, Donald Stufft <donald.stufft at gmail.com (mailto:donald.stufft at gmail.com)> wrote:
> > On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote:
> >
> >
> > Key distribution is the real issue though. If there isn't a key
> > distribution infrastructure in place, we might as well not bother with
> > signatures. PyPI could issue x509 certs to packagers. You wouldn't be
> > able to verify that the name given is accurate, but you would be able
> > to verify that all packages with the same listed author are actually
> > by that author.
> >
> > I've been sketching out ideas for key distribution, but it's very much
> > a chicken and egg problem, very few people sign their packages (because
> > nothing uses it currently), and nobody is motivated to work on
> > infrastructure
> > or tooling because no one signs their packages.
> >
>
>
> Are those ideas available publicly? I would love to chip in.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-dev/attachments/20120622/c72dfe6b/attachment.html>
More information about the Python-Dev
mailing list