[Catalog-sig] Replication and security

[Jesus Cea]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Currently setuptools allows to upload a PGP signature along the package,
to be able to check integrity and security. As far as I know, currently
 "easy_install" doesn't check it. That is bad, but life sucks.

My problem now is with mirrors: How can anybody to validate files?.
Beside the possible PGP signatures of authors (a check that should be
integrated in "easy_install"), I would like PYPI main server (I guess it
would be the single point where people upload new packages; the mirrors
would be read-only) to digitally sign each uploaded package. This way,
easy_install can check any package downloaded from any mirror, because
PYPI public key would be a well known value.

I have code in python to digitally sign/verify signatures using ElGamal
algorithm. Any interest?

- --
Jesus Cea Avion                         _/_/      _/_/_/        _/_/_/
jcea at jcea.es - http://www.jcea.es/     _/_/    _/_/  _/_/    _/_/  _/_/
jabber / xmpp:jcea at jabber.org         _/_/    _/_/          _/_/_/_/_/
.                              _/_/  _/_/    _/_/          _/_/  _/_/
"Things are not so easy"      _/_/  _/_/    _/_/  _/_/    _/_/  _/_/
"My name is Dump, Core Dump"   _/_/_/        _/_/_/      _/_/  _/_/
"El amor es poner tu felicidad en la felicidad de otro" - Leibniz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQCVAwUBSWI9YZlgi5GaxT1NAQLDFAQAjKWWmi9h3E4RvEupi03oAy839iCe7AO5
1nAHs+0aeQbQwskcUSD1RVZ4xP/AeJ+Gva1rvJfr7Ho41FD9WEFO/ErnHyGhEnL3
QK30lXbosnIWoqRiwXijrKtYp+9/pyixuDt7bL8hQ6ZBzgsOnknHaLJhDsNK+AMf
KowdHXxsnPo=
=eTrH
-----END PGP SIGNATURE-----