[Catalog-sig] getting the public key when --sign is used
Tarek Ziadé
tarek at ziade.org
Tue Nov 20 13:56:26 CET 2012
On 11/20/12 1:54 PM, Tarek Ziadé wrote:
> On 11/20/12 1:49 PM, "Martin v. Löwis" wrote:
>> Am 19.11.12 19:37, schrieb Tarek Ziadé:
>>> Wouldn't it make sense to modify the upload command and add a .pubkey
>>> file alongside the archive file
>>> and the .asc file on PyPI ? (since we don't have a notion of
>>> team/users
>>> etc.)
>>
>> Each user is supposed to provide his PGP key ID. For those that did, we
>> could fetch them from the key server.
>
> In some projects we have several owners and maintainers, so I am not sure
> how we can decide which key to use. The initial owner ?
>
> Maybe we'd need to add a project <> key relation that's set by default
> to the initial owner's key, but could be change afterwards.
>
oh scratch this. each upload has a uploader associated so we can use this.
More information about the Catalog-SIG
mailing list