<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">On 11/19/12 7:43 PM, Daniel Holth
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAG8k2+6S544hOdTcfaimosEPVSKKOZrCf3qAhp4U5324vY658g@mail.gmail.com"
      type="cite">If pypi would also sign the public key, and possibly
      the metadata for a particular release, that feature could be
      pretty cool.</blockquote>
    <br>
    why pip ?<br>
    <br>
    <br>
    <blockquote
cite="mid:CAG8k2+6S544hOdTcfaimosEPVSKKOZrCf3qAhp4U5324vY658g@mail.gmail.com"
      type="cite">
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Mon, Nov 19, 2012 at 1:37 PM, Tarek
          Ziadé <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:tarek@ziade.org" target="_blank">tarek@ziade.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">Hey<br>
            <br>
            <br>
            I am currently writing a small script to verify that the gpg
            signature is correct when the --sign option<br>
            is used with the Distutils upload command, and I was
            wondering why we don't publish the public key<br>
            alongside the .asc file.<br>
            <br>
            Right now, unless I missed something, to verify a signature
            the user has to manually get the public key before she<br>
            can control the tarball.<br>
            <br>
            Wouldn't it make sense to modify the upload command and add
            a .pubkey file alongside the archive file<br>
            and the .asc file on PyPI ?  (since we don't have a notion
            of team/users etc.)<br>
            <br>
            Cheers<br>
            Tarek<br>
            _______________________________________________<br>
            Catalog-SIG mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:Catalog-SIG@python.org" target="_blank">Catalog-SIG@python.org</a><br>
            <a moz-do-not-send="true"
              href="http://mail.python.org/mailman/listinfo/catalog-sig"
              target="_blank">http://mail.python.org/mailman/listinfo/catalog-sig</a><br>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
    <br>
  </body>
</html>