[Catalog-sig] [Draft] Package signing and verification process

[Andreas Jung]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



Lennart Regebro wrote:
> On Wed, Feb 6, 2013 at 9:28 PM, Zygmunt Krynicki 
> <zygmunt.krynicki at canonical.com> wrote:
>> I did not realize that a basic install of plone is composed of
>> 100+ packages. If all of those packages are maintained by a
>> coherent group (pardon my ignorance of plone here) then perhaps
>> that use case could be managed by allowing the user to accept trust
>> to a larger pool of packages.
> 
> Most of them are done by a couple of groups, which share some
> people. But there is at least 20-30 packages in there that aren't
> maintained by these groups.
> 
> Plone is trying to be user friendly. If the Python community in 
> general would decide to go down this path, then Plone would be
> forced to simply not use standard Python packaging at all.
> 
> Fortunately, I don't think the risk is very high. As mentioned, this 
> is just not a practical or feasible way to solve the problem.

+1

- -aj
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQGUBAEBAgAGBQJREz/TAAoJEADcfz7u4AZjVQoLwIqMvnAvFC6Odfdp+Ed8FSWk
gSBB9iFJaZO9ubDhjLNFgMefgrPTBinyTEUX/h9XjjJYpjHY+7IJrAg74KoHYaM7
usHb+p0KeqzDEAfP2hxAaGP5m8odn99/7oGujJ4nC+w14LFLmrO43KoOVk4tdCFz
geGP12hzRr16IGa0miFTQNi4nD0SLAgQzYqVx63f1qVwlv58bCAKrejb+YCVfKpy
R84fipHfRlxkbCYxFph9dP7k8fFW5VuN/eNSk8uLz5SBsP9HYfF2J3r/10S1ED1I
3oS9Ufq4Acl/gWuCrw2pu5JAC0fHkFKy39REkw6vbUj8Os/7wvsTQPlINVbgN8g2
X+RJrd8QAL1fkhDMv3Vnx1E0jUO/odm7cBWp3H6I/pYuoVTi6GOUvy+Zvj1IC5dt
gTvLxzJ2U53e+wpSepH8FTsSwGfGs/E9tUcRsqSQV7xNI+PdLuwfw7dB4vqQibnq
pLUCnPfk7R5VwEsw8K/vi2OulSxJ18A=
=ojxZ
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lists.vcf
Type: text/x-vcard
Size: 353 bytes
Desc: not available
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130207/e5d590d1/attachment-0001.vcf>