From: M.-A. Lemburg [mailto:mal@egenix.com]

...

I'm not trying to argue the case, just to demonstrate how the world looks from the POV of security-naive people like me...

Perhaps distutils should simply start to add MD5 or SHA hash sums of the created archives to the meta-data which gets uploaded to e.g. PyPI. That way, the user can easily see whether a mirror has the correct packages or not. Better than nothing, I'd say, and easy to implement even without having to go through all the PKI stuff :-)

That sounds sensible. Everything needed is part of Python, no requirements on the user, some level of check for those that care. I can't see a downside... Paul.