[Catalog-sig] getting the public key when --sign is used
dholth at gmail.com
Mon Nov 19 20:03:08 CET 2012
On Mon, Nov 19, 2012 at 1:45 PM, Tarek Ziadé <tarek at ziade.org> wrote:
> On 11/19/12 7:43 PM, Daniel Holth wrote:
> If pypi would also sign the public key, and possibly the metadata for a
> particular release, that feature could be pretty cool.
> why pip ?
It's the premier Python package manager.
PyPI would sign the publisher's keys so that you could trust them without
having to worry about the connection. You could mirror the expected keys
Key revocation is an unrelated issue. A revoked key is still revoked even
if you can download a version of it that is not marked as revoked.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Catalog-SIG