[Distutils] PGP keys required? (Re: PEP 243)
Moore, Paul
Paul.Moore at atosorigin.com
Tue Feb 3 05:08:38 EST 2004
From: M.-A. Lemburg [mailto:mal at egenix.com]
>> I'm not trying to argue the case, just to demonstrate how the
>> world looks from the POV of security-naive people like me...
> Perhaps distutils should simply start to add MD5 or SHA hash
> sums of the created archives to the meta-data which gets uploaded
> to e.g. PyPI. That way, the user can easily see whether a mirror
> has the correct packages or not. Better than nothing, I'd say,
> and easy to implement even without having to go through all the
> PKI stuff :-)
That sounds sensible. Everything needed is part of Python, no
requirements on the user, some level of check for those that
care. I can't see a downside...
Paul.
More information about the Distutils-SIG
mailing list