<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 11/19/12 10:37 PM, Daniel Holth
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAG8k2+7tmmm6BQiE7Cxgo5a5_BHncAWtjJfBt9Yt9X_tGRSA4A@mail.gmail.com"
      type="cite">You misread my first message, I only suggested that
      PyPI would sign the public keys.<br>
    </blockquote>
    oh right, sorry<br>
    <br>
    PyPI already signs each release for the mirrors (see PEP 381) - so
    it sounds feasible<br>
    <blockquote
cite="mid:CAG8k2+7tmmm6BQiE7Cxgo5a5_BHncAWtjJfBt9Yt9X_tGRSA4A@mail.gmail.com"
      type="cite">
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Mon, Nov 19, 2012 at 4:31 PM, Tarek
          Ziadé <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:tarek@ziade.org" target="_blank">tarek@ziade.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <div>
                <div class="h5">
                  <div>On 11/19/12 8:03 PM, Daniel Holth wrote:<br>
                  </div>
                  <blockquote type="cite">On Mon, Nov 19, 2012 at 1:45
                    PM, Tarek Ziadé <span dir="ltr"><<a
                        moz-do-not-send="true"
                        href="mailto:tarek@ziade.org" target="_blank">tarek@ziade.org</a>></span>
                    wrote:<br>
                    <div class="gmail_extra">
                      <div class="gmail_quote">
                        <blockquote class="gmail_quote" style="margin:0
                          0 0 .8ex;border-left:1px #ccc
                          solid;padding-left:1ex">
                          <div bgcolor="#FFFFFF" text="#000000">
                            <div>
                              <div>On 11/19/12 7:43 PM, Daniel Holth
                                wrote:<br>
                              </div>
                              <blockquote type="cite">If pypi would also
                                sign the public key, and possibly the
                                metadata for a particular release, that
                                feature could be pretty cool.</blockquote>
                              <br>
                            </div>
                            why pip ?</div>
                        </blockquote>
                        <div><br>
                        </div>
                        <div>It's the premier Python package manager.</div>
                        <div><br>
                        </div>
                        <div>PyPI would sign the publisher's keys so
                          that you could trust them without having to
                          worry about the connection. You could mirror
                          the expected keys this way.</div>
                        <div><br>
                        </div>
                        <div>Key revocation is an unrelated issue. A
                          revoked key is still revoked even if you can
                          download a version of it that is not marked as
                          revoked.</div>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
              But you don't upload packages on Pypi using Pip - since
              it's just the installer - So I don't get the workflow<br>
              <br>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>