[Catalog-sig] getting the public key when --sign is used
tarek at ziade.org
Mon Nov 19 22:31:23 CET 2012
On 11/19/12 8:03 PM, Daniel Holth wrote:
> On Mon, Nov 19, 2012 at 1:45 PM, Tarek Ziadé <tarek at ziade.org
> <mailto:tarek at ziade.org>> wrote:
> On 11/19/12 7:43 PM, Daniel Holth wrote:
>> If pypi would also sign the public key, and possibly the metadata
>> for a particular release, that feature could be pretty cool.
> why pip ?
> It's the premier Python package manager.
> PyPI would sign the publisher's keys so that you could trust them
> without having to worry about the connection. You could mirror the
> expected keys this way.
> Key revocation is an unrelated issue. A revoked key is still revoked
> even if you can download a version of it that is not marked as revoked.
But you don't upload packages on Pypi using Pip - since it's just the
installer - So I don't get the workflow
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Catalog-SIG