On Jan 2, 2015, at 9:55 AM, Nick Coghlan <ncoghlan@gmail.com> wrote:

I just don't personally have any major open questions for PEP 458 - while I'm aware there are some significant technical details to be resolved in terms of exactly what gets signed, and how the implementation will work in practice, I think the concept is sound, and I don't have the necessary knowledge of pip and PyPI internals to have an opinion on the details of the integration.

To be clear, I also think that PEP 458’s concept is sound and I think it’s the right direction to go in. The things I think are holding it back are nailing down the technical details and getting it so that someone can get a high level understanding of what it’s actually doing without needing to read the supporting documentation (white paper, etc) and without some level of what most would call expert knowledge in the area (though I don’t like to call myself an expert, I realize to most people I likely am).

---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA