Feb. 2, 2004
2:37 a.m.
On Feb 1, 2004, at 6:10 PM, Bob Ippolito wrote:
The pythonmac-sig proposed-but-nobody-is-working-on-it solution is for Jack and I to use some secure mechanism, let's say s/mime or pgp, to send the hash of our package *index* every time we make an update.
That way, one hash is sent that confirms the integrity of every hash in the index.
A single S/MIME email from you or Jack would totally suffice for me for the short term. That way I could look in the archive, verify the sig, and know that the hashes are valid. (Assuming you and Jack aren't really black hats. :) --keith