[Catalog-sig] [Draft] Package signing and verification process
Zygmunt Krynicki
zygmunt.krynicki at canonical.com
Wed Feb 6 21:28:37 CET 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
W dniu 06.02.2013 21:08, Lennart Regebro pisze:
> On Wed, Feb 6, 2013 at 8:51 PM, Zygmunt Krynicki
> <zygmunt.krynicki at canonical.com> wrote:
>> That is a one time operation.
>
> It is, for Plone, a several hundred times operation. This is not a
> feasible path.
I did not realize that a basic install of plone is composed of 100+
packages. If all of those packages are maintained by a coherent group
(pardon my ignorance of plone here) then perhaps that use case could
be managed by allowing the user to accept trust to a larger pool of
packages.
For example, if all plone packages were signed by a single key and
carried additional meta-data then distrust could ask the user
something like:
Do you want to trust the user "Joe Develoer <developer at example.com>"
as identified by fingerprint .... with _all_ packages that start with
the string "pypi:plone.core.":
Choice [No/yes/help]:
Thanks
ZK
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBAgAGBQJRErzyAAoJECiU6TooxntH1ukP/0a2jqTIXW4YxLWIKF+zIgQS
fjx3JwZFNBDnI1QzaOZCC8VfsqJIBaIamVMXgjw/q5JOoju/qnTctFrY6GQwAGnN
OXyo6eBmp3+30Le9Vz+eFy/SToHtS0cAWFetp/amadaL3uEiOef4wdB+aFAsNr0T
BP2/muxXhh/PkMDnEb7IA/5wodwvpz6RWojgiphZJnNEq6Tskm6wTIWIWwWunXhX
Jfzcg932TXh2wICQEYYh/w4nta9jLX37L0Lz2OxpoTvuk51LvhbpcmedmHXJh7KR
Eexhve3hoFyBqkwF0g8KOeH6fnL3/BFMIZSDSzGNDnLdBs0IENKqfNrb3wVdFCeB
nmu57+xBb+93l9JH2veH1ZUJEptmhxhYVnU3+scctNRn2KCI+plP+srsbKPv0CMU
lpWzCLDUC3soGA/UYRCnmELCIEc3n7DP37+DwyAO+i/Jxq5+m6VKb5crbij+fGNO
sMtVaJuHb2u1BCGQpMrkVLSDlPzuzlldWT2udKkeQN7mkCeeVi/FmHbRo6zoYO8r
I56+o5ktALxNeayGiD+mFhrMkw0n4MVK96gPsqcOvRqXE8RFv5Kweh4sJCGEhoda
krqF9NqTSpOBQXEumzPVD1RHQMjXmwjUYAFCkpIzqaSVq+7/qTai20Tx6QHQDL3A
eQEnbI5uaCNf/EC39PIj
=ajTl
-----END PGP SIGNATURE-----
More information about the Catalog-SIG
mailing list