<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 11/19/12 10:37 PM, Daniel Holth
wrote:<br>
</div>
<blockquote
cite="mid:CAG8k2+7tmmm6BQiE7Cxgo5a5_BHncAWtjJfBt9Yt9X_tGRSA4A@mail.gmail.com"
type="cite">You misread my first message, I only suggested that
PyPI would sign the public keys.<br>
</blockquote>
oh right, sorry<br>
<br>
PyPI already signs each release for the mirrors (see PEP 381) - so
it sounds feasible<br>
<blockquote
cite="mid:CAG8k2+7tmmm6BQiE7Cxgo5a5_BHncAWtjJfBt9Yt9X_tGRSA4A@mail.gmail.com"
type="cite">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Nov 19, 2012 at 4:31 PM, Tarek
Ziadé <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:tarek@ziade.org" target="_blank">tarek@ziade.org</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div class="h5">
<div>On 11/19/12 8:03 PM, Daniel Holth wrote:<br>
</div>
<blockquote type="cite">On Mon, Nov 19, 2012 at 1:45
PM, Tarek Ziadé <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:tarek@ziade.org" target="_blank">tarek@ziade.org</a>></span>
wrote:<br>
<div class="gmail_extra">
<div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0
0 0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>
<div>On 11/19/12 7:43 PM, Daniel Holth
wrote:<br>
</div>
<blockquote type="cite">If pypi would also
sign the public key, and possibly the
metadata for a particular release, that
feature could be pretty cool.</blockquote>
<br>
</div>
why pip ?</div>
</blockquote>
<div><br>
</div>
<div>It's the premier Python package manager.</div>
<div><br>
</div>
<div>PyPI would sign the publisher's keys so
that you could trust them without having to
worry about the connection. You could mirror
the expected keys this way.</div>
<div><br>
</div>
<div>Key revocation is an unrelated issue. A
revoked key is still revoked even if you can
download a version of it that is not marked as
revoked.</div>
</div>
</div>
</blockquote>
<br>
</div>
</div>
But you don't upload packages on Pypi using Pip - since
it's just the installer - So I don't get the workflow<br>
<br>
</div>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>