[Catalog-sig] Including GnuPG with packaging tools
Donald Stufft
donald.stufft at gmail.com
Sun Feb 10 18:54:39 CET 2013
On Sunday, February 10, 2013 at 12:53 PM, Giovanni Bajo wrote:
> Il giorno 10/feb/2013, alle ore 18:08, Antoine Pitrou <solipsis at pitrou.net (mailto:solipsis at pitrou.net)> ha scritto:
>
> >
> > Hello,
> >
> > Vinay Sajip <vinay_sajip <at> yahoo.co.uk (http://yahoo.co.uk)> writes:
> > >
> > > I've contacted the FSF about the licensing implications of including gpg with
> > > Python programs. This is primarily for Windows - Posix users are better off
> > > installing through their distro package manager or equivalent of the
> > > Homebrew/MacPorts type, if necessary.
> > >
> >
> >
> > You want to post this on python-dev, not catalog-sig.
> >
> > Also, before inquiring about legal matters, it should first be decided
> > whether it is desirable to ship our version of GnuPG, or not.
> > (unless there has already been a thread about this and I've missed it :-))
> >
>
>
>
> There is an open discussion whether to use TUF or GPG. If we go with GPG, then we wlll discuss what to do, given that:
>
> 1) for users, the problem is not on python-dev, but rather on the maintainers of package managers (pip, easy_install) that need to decide how to ship/install GPG to verify signatures.
> 2) for maintainers, I don't see a strong need to ship it with distutils within Python, as long as we have clear documentation on how to install it. But this is open for discussion of course.
>
I didn't see TUF mention anywhere what technology would be used to sign its
files. So it's possible to use GPG (or possibly another one?)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130210/6ec6543a/attachment-0001.html>
More information about the Catalog-SIG
mailing list