[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability
steve at pearwood.info
Wed Jun 16 00:24:23 CEST 2010
On Wed, 16 Jun 2010 03:44:05 am Jesus Cea wrote:
> 2. Packages MUST be digitally signed. Ideally by the owner
-1 on requiring that by the package owner. While digitally signing
packages is a good idea, the state of the art is not yet so simple that
this will be anything but a barrier to entry to the average Python
developer. Not to mention there are places in the world where effective
encryption is illegal.
> but at least by PYPI central node (current pypi server).
Martin has said this is already planned, and linked here:
Has anyone considered whether there are any legal implications of this?
A digital signature is not an MD5 checksum, it may have actual legal
meaning in many countries equivalent to a pen and paper signature.
IANAL but I do not believe that it is a good idea to be signing
arbitrary packages without knowing what they are (other than "a bunch
of bytes uploaded from some arbitrary IP address") any more than I
would put my physical signature on a parcel handed to me by some random
person at the airport.
I would not be digitally signing anything I didn't create unless I had
good legal advice that it was safe to do so.
More information about the Catalog-SIG