[Catalog-sig] [pydotorg-www] project plan
techtonik at gmail.com
Mon Apr 19 23:24:38 CEST 2010
On Mon, Apr 19, 2010 at 11:51 PM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
> About the only approach I can think of is PGP signing by the actual
> package authors, which is already supported in PyPI (but not in
> setuptools/distribute, AFAIK). We could strengthen this with our own web
> of trust within the community of PyPI users, which would take
> some time to setup. We could also encourage the use of CACert user
> certificates for code signing in stead/in addition.
IIRC the biggest hole with PyPI and setuptools for now is that it
doesn't allow to execute "setup.py bdist register upload" without
saving password in clear form on user system.
CCed to catalog-sig. Let's see if it will bounce.
More information about the Catalog-SIG