I was more pushing for the transitive trust element than signing. That being said, any signing at all would be progress.

On Jun 1, 2017 9:07 PM, "Donald Stufft" <donald@stufft.io> wrote:

On Jun 1, 2017, at 8:15 PM, Matt Joyce <matt@nycresistor.com> wrote:

Or start doing signed pgp for package maintainers and build a transitive trust model.

PGP is not useful for our use case except as a generic crypto primitive, and there are better generic crypto primitives out there. See https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/

—
Donald Stufft