[Catalog-sig] Proposal: Move PyPI static data to the cloud for better availability

"Martin v. Löwis" martin at v.loewis.de
Wed Jun 16 00:45:26 CEST 2010

> I would not be digitally signing anything I didn't create unless I had
> good legal advice that it was safe to do so.

I'm actually not worried about this. In my own country, a valid digital 
signature requires much more than invocation of the RSA algorithm. E.g.
available of certain certified information about the key holder is 
necessary (including some identification of the key holder). The PyPI
signatures don't include any identification information.

Also, the only thing that *does* get signed are the simple index pages, 
and indeed, I not only sign them, I also generate them.


More information about the Catalog-SIG mailing list