[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

Steven D'Aprano steve at pearwood.info
Wed Jun 16 00:24:23 CEST 2010

On Wed, 16 Jun 2010 03:44:05 am Jesus Cea wrote:

> 2. Packages MUST be digitally signed. Ideally by the owner

-1 on requiring that by the package owner. While digitally signing 
packages is a good idea, the state of the art is not yet so simple that 
this will be anything but a barrier to entry to the average Python 
developer. Not to mention there are places in the world where effective 
encryption is illegal.

> but at least by PYPI central node (current pypi server). 

Martin has said this is already planned, and linked here:


Has anyone considered whether there are any legal implications of this?

A digital signature is not an MD5 checksum, it may have actual legal 
meaning in many countries equivalent to a pen and paper signature. 
IANAL but I do not believe that it is a good idea to be signing 
arbitrary packages without knowing what they are (other than "a bunch 
of bytes uploaded from some arbitrary IP address") any more than I 
would put my physical signature on a parcel handed to me by some random 
person at the airport.

I would not be digitally signing anything I didn't create unless I had 
good legal advice that it was safe to do so.

Steven D'Aprano

More information about the Catalog-SIG mailing list