[Catalog-sig] [Draft] Package signing and verification process

[Zygmunt Krynicki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

W dniu 06.02.2013 21:08, Lennart Regebro pisze:
> On Wed, Feb 6, 2013 at 8:51 PM, Zygmunt Krynicki 
> <zygmunt.krynicki at canonical.com> wrote:
>> That is a one time operation.
> 
> It is, for Plone, a several hundred times operation. This is not a 
> feasible path.

I did not realize that a basic install of plone is composed of 100+
packages. If all of those packages are maintained by a coherent group
(pardon my ignorance of plone here) then perhaps that use case could
be managed by allowing the user to accept trust to a larger pool of
packages.

For example, if all plone packages were signed by a single key and
carried additional meta-data then distrust could ask the user
something like:

Do you want to trust the user "Joe Develoer <developer at example.com>"
as identified by fingerprint .... with _all_ packages that start with
the string "pypi:plone.core.":

Choice [No/yes/help]:

Thanks
ZK

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRErzyAAoJECiU6TooxntH1ukP/0a2jqTIXW4YxLWIKF+zIgQS
fjx3JwZFNBDnI1QzaOZCC8VfsqJIBaIamVMXgjw/q5JOoju/qnTctFrY6GQwAGnN
OXyo6eBmp3+30Le9Vz+eFy/SToHtS0cAWFetp/amadaL3uEiOef4wdB+aFAsNr0T
BP2/muxXhh/PkMDnEb7IA/5wodwvpz6RWojgiphZJnNEq6Tskm6wTIWIWwWunXhX
Jfzcg932TXh2wICQEYYh/w4nta9jLX37L0Lz2OxpoTvuk51LvhbpcmedmHXJh7KR
Eexhve3hoFyBqkwF0g8KOeH6fnL3/BFMIZSDSzGNDnLdBs0IENKqfNrb3wVdFCeB
nmu57+xBb+93l9JH2veH1ZUJEptmhxhYVnU3+scctNRn2KCI+plP+srsbKPv0CMU
lpWzCLDUC3soGA/UYRCnmELCIEc3n7DP37+DwyAO+i/Jxq5+m6VKb5crbij+fGNO
sMtVaJuHb2u1BCGQpMrkVLSDlPzuzlldWT2udKkeQN7mkCeeVi/FmHbRo6zoYO8r
I56+o5ktALxNeayGiD+mFhrMkw0n4MVK96gPsqcOvRqXE8RFv5Kweh4sJCGEhoda
krqF9NqTSpOBQXEumzPVD1RHQMjXmwjUYAFCkpIzqaSVq+7/qTai20Tx6QHQDL3A
eQEnbI5uaCNf/EC39PIj
=ajTl
-----END PGP SIGNATURE-----