[Catalog-sig] getting the public key when --sign is used

Tarek Ziadé tarek at ziade.org
Tue Nov 20 13:56:26 CET 2012

On 11/20/12 1:54 PM, Tarek Ziadé wrote:
> On 11/20/12 1:49 PM, "Martin v. Löwis" wrote:
>> Am 19.11.12 19:37, schrieb Tarek Ziadé:
>>> Wouldn't it make sense to modify the upload command and add a .pubkey
>>> file alongside the archive file
>>> and the .asc file on PyPI ?  (since we don't have a notion of 
>>> team/users
>>> etc.)
>> Each user is supposed to provide his PGP key ID. For those that did, we
>> could fetch them from the key server.
> In some projects we have several owners and maintainers, so I am not sure
> how we can decide which key to use. The initial owner ?

> Maybe we'd need to add a project <> key relation that's set by default
> to the initial owner's key, but could be change afterwards.
oh scratch this. each upload has a uploader associated so we can use this.

More information about the Catalog-SIG mailing list