[Catalog-sig] User profile: PGP Key ID

Nick Coghlan ncoghlan at gmail.com
Wed Feb 20 23:50:49 CET 2013


On 21 Feb 2013 06:57, "Donald Stufft" <donald.stufft at gmail.com> wrote:
>
> On Wednesday, February 20, 2013 at 3:50 PM, Daniel Holth wrote:
>>
>> Bikeshed detected.
>
> Basically.
>
> We basically can't use any of the properties of the various signing techs
besides
> their ability to sign documents so the choice of them doesn't
particularly matter.

Not *quite* true - GPG comes with more mature client side tech for managing
signing keys at the developer end, and that's independent of the PyPI trust
model. Since it's a coin flip otherwise, that's probably going to be enough
for us to favour GPG as the signing tech.

In the spirit of "status quo wins a stalemate", GPG should currently be
considered the default choice, with alternatives needing to offer genuinely
compelling advantages to displace it. (note that isolating the signature
generation and verification to a separate non-Python process isn't a major
issue from my point of view)

Cheers,
Nick.
>
>
> _______________________________________________
> Catalog-SIG mailing list
> Catalog-SIG at python.org
> http://mail.python.org/mailman/listinfo/catalog-sig
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/catalog-sig/attachments/20130221/514503a3/attachment.html>


More information about the Catalog-SIG mailing list