[SciPy-Dev] [Numpy-discussion] scipy 0.18 release candidate 1
Pauli Virtanen
pav at iki.fi
Thu Jun 23 14:55:12 EDT 2016
Thu, 23 Jun 2016 11:47:37 -0700, Nathaniel Smith kirjoitti:
[clip]
> I believe the question was specifically about wheels that aren't being
> built by any of those three people though? But anyway, yeah, that is the
> main situation where this kind of package signing might help, and which
> I addressed in the second half of the email :-). But note that it would
> also work just as well to, say, keep a text file in the scipy repo that
> has the sha256 of every file uploaded to pypi. (Maybe even better,
> because someone who attacked pypi could delete the PGP signatures to
> confuse matters, and do you have backups?)
How do I know one of these people pushed the commit that changed the
checksums to the Scipy repository?
PGP signatures do add stronger guarantees than just trusting Github,
provided they you know the people whose keys are in question.
More information about the SciPy-Dev
mailing list