<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
<title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Would it be worthwhile to stipulate that anyone who wants to submit a
package to an automated distutils system have a PGP/GPG key signed by
an appropriate Python authority or another developper? Initially these
would all be an "authority" of some form, of course. This at least
allows the authentication of authors' packages as being intact and
submitted by themselves, which then allows a good method of filtering <i>à
la</i> "I like this author's software", etc. via rating systems and the
like.<br>
<br>
Just a thought from a PGP activist.<br>
<pre class="moz-signature" cols="72">--
Michael T. Babcock
C.T.O., FibreSpeed Ltd.
<a class="moz-txt-link-freetext" href="http://www.fibrespeed.net/~mbabcock">http://www.fibrespeed.net/~mbabcock</a></pre>
</body>
</html>