[Catalog-sig] How to verify cheeseshop signatures?

Phillip J. Eby pje at telecommunity.com
Sun Oct 23 19:39:10 CEST 2005

At 07:20 PM 10/23/2005 +0200, Martin v. Löwis wrote:
>When you have package dependencies, the using package could include the
>key fingerprint of the expected signer of the used package. A user would
>then only have to trust the "topmost" package author, to not include
>malware in its own package, and to have verified the signer of the
>lower packages for both identity and moral trustworthiness.

In this case, that person could simply distribute everything from their 
site, and the user can simply require all the downloads to come from that 
site using easy_install's --allow-hosts option.  For example, since 
TurboGears distributes all its dependencies, I could trust only 
turbogears.org.  Or, I could choose to trust anything from 

In other words, host-based trust seems a lot easier to implement and almost 
as useful.

More information about the Catalog-sig mailing list