[Catalog-sig] getting the public key when --sign is used

Tarek Ziadé tarek at ziade.org
Mon Nov 19 22:31:23 CET 2012

On 11/19/12 8:03 PM, Daniel Holth wrote:
> On Mon, Nov 19, 2012 at 1:45 PM, Tarek Ziadé <tarek at ziade.org 
> <mailto:tarek at ziade.org>> wrote:
>     On 11/19/12 7:43 PM, Daniel Holth wrote:
>>     If pypi would also sign the public key, and possibly the metadata
>>     for a particular release, that feature could be pretty cool.
>     why pip ?
> It's the premier Python package manager.
> PyPI would sign the publisher's keys so that you could trust them 
> without having to worry about the connection. You could mirror the 
> expected keys this way.
> Key revocation is an unrelated issue. A revoked key is still revoked 
> even if you can download a version of it that is not marked as revoked.

But you don't upload packages on Pypi using Pip - since it's just the 
installer - So I don't get the workflow

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20121119/214c9b09/attachment.html>

More information about the Catalog-SIG mailing list