[Catalog-sig] getting the public key when --sign is used

Tarek Ziadé tarek at ziade.org
Mon Nov 19 22:44:50 CET 2012


On 11/19/12 10:37 PM, Daniel Holth wrote:
> You misread my first message, I only suggested that PyPI would sign 
> the public keys.
oh right, sorry

PyPI already signs each release for the mirrors (see PEP 381) - so it 
sounds feasible
>
>
> On Mon, Nov 19, 2012 at 4:31 PM, Tarek Ziadé <tarek at ziade.org 
> <mailto:tarek at ziade.org>> wrote:
>
>     On 11/19/12 8:03 PM, Daniel Holth wrote:
>>     On Mon, Nov 19, 2012 at 1:45 PM, Tarek Ziadé <tarek at ziade.org
>>     <mailto:tarek at ziade.org>> wrote:
>>
>>         On 11/19/12 7:43 PM, Daniel Holth wrote:
>>>         If pypi would also sign the public key, and possibly the
>>>         metadata for a particular release, that feature could be
>>>         pretty cool.
>>
>>         why pip ?
>>
>>
>>     It's the premier Python package manager.
>>
>>     PyPI would sign the publisher's keys so that you could trust them
>>     without having to worry about the connection. You could mirror
>>     the expected keys this way.
>>
>>     Key revocation is an unrelated issue. A revoked key is still
>>     revoked even if you can download a version of it that is not
>>     marked as revoked.
>
>     But you don't upload packages on Pypi using Pip - since it's just
>     the installer - So I don't get the workflow
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20121119/e89875cf/attachment-0001.html>


More information about the Catalog-SIG mailing list