[Python-Dev] Signed packages
Alexandre Zani
alexandre.zani at gmail.com
Fri Jun 22 18:54:28 CEST 2012
On Fri, Jun 22, 2012 at 9:35 AM, Donald Stufft <donald.stufft at gmail.com> wrote:
> Ideally authors will be signing their packages (using gpg keys). Of course
> how to distribute keys is an exercise left to the reader.
Key distribution is the real issue though. If there isn't a key
distribution infrastructure in place, we might as well not bother with
signatures. PyPI could issue x509 certs to packagers. You wouldn't be
able to verify that the name given is accurate, but you would be able
to verify that all packages with the same listed author are actually
by that author.
>
> On Friday, June 22, 2012 at 11:48 AM, Vinay Sajip wrote:
>
> <martin <at> v.loewis.de> writes:
>
>
> See above. Also notice that such signing is already implemented, as part
> of PEP 381.
>
>
> BTW, I notice that the certificate for https://pypi.python.org/ expired a
> week
> ago ...
>
> Regards,
>
> Vinay Sajip
>
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> http://mail.python.org/mailman/options/python-dev/donald.stufft%40gmail.com
>
>
>
> _______________________________________________
> Python-Dev mailing list
> Python-Dev at python.org
> http://mail.python.org/mailman/listinfo/python-dev
> Unsubscribe:
> http://mail.python.org/mailman/options/python-dev/alexandre.zani%40gmail.com
>
More information about the Python-Dev
mailing list