<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 11/19/12 8:03 PM, Daniel Holth
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAG8k2+7qjUJPqzF-fjN8Tv7wuzGsX5keMGwa_0zf=JzPnugqpA@mail.gmail.com"
      type="cite">On Mon, Nov 19, 2012 at 1:45 PM, Tarek Ziadé <span
        dir="ltr"><<a moz-do-not-send="true"
          href="mailto:tarek@ziade.org" target="_blank">tarek@ziade.org</a>></span>
      wrote:<br>
      <div class="gmail_extra">
        <div class="gmail_quote">
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div bgcolor="#FFFFFF" text="#000000">
              <div class="im">
                <div>On 11/19/12 7:43 PM, Daniel Holth wrote:<br>
                </div>
                <blockquote type="cite">If pypi would also sign the
                  public key, and possibly the metadata for a particular
                  release, that feature could be pretty cool.</blockquote>
                <br>
              </div>
              why pip ?</div>
          </blockquote>
          <div><br>
          </div>
          <div>It's the premier Python package manager.</div>
          <div><br>
          </div>
          <div>PyPI would sign the publisher's keys so that you could
            trust them without having to worry about the connection. You
            could mirror the expected keys this way.</div>
          <div><br>
          </div>
          <div>Key revocation is an unrelated issue. A revoked key is
            still revoked even if you can download a version of it that
            is not marked as revoked.</div>
        </div>
      </div>
    </blockquote>
    <br>
    But you don't upload packages on Pypi using Pip - since it's just
    the installer - So I don't get the workflow<br>
    <br>
  </body>
</html>