[Catalog-sig] getting the public key when --sign is used

Daniel Holth dholth at gmail.com
Mon Nov 19 20:03:08 CET 2012

On Mon, Nov 19, 2012 at 1:45 PM, Tarek Ziadé <tarek at ziade.org> wrote:

>  On 11/19/12 7:43 PM, Daniel Holth wrote:
> If pypi would also sign the public key, and possibly the metadata for a
> particular release, that feature could be pretty cool.
> why pip ?

It's the premier Python package manager.

PyPI would sign the publisher's keys so that you could trust them without
having to worry about the connection. You could mirror the expected keys
this way.

Key revocation is an unrelated issue. A revoked key is still revoked even
if you can download a version of it that is not marked as revoked.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20121119/236698b5/attachment-0001.html>

More information about the Catalog-SIG mailing list