[Distutils] PGP keys required? (Re: PEP 243)

Bob Ippolito bob at redivi.com
Thu Jan 29 06:26:29 EST 2004

On Jan 29, 2004, at 6:15 AM, Anthony Baxter wrote:

>>>> "Moore, Paul" wrote
>> From: Michael T. Babcock
>>> Would it be worthwhile to stipulate that anyone who wants to submit a
>>> package to an automated distutils system have a PGP/GPG key signed by
>>> an appropriate Python authority or another developper?
>> -1. The effect would be to bar new submitters, who wouldn't have the
>> necessary signed key, as well as to people like myself who can't be
>> bothered trying to maintain a PGP key.
> It should be at least an option, anyway.

Isn't most of the stuff used to support GPG under the GNU GPL license?  
I think that would preclude it from being incorporated into the 
mainline of distutils.

Personally, I don't think it would be a popular enough feature to 
justify the changes.  For the people who do care, a "meta-index" could 
be created where the developer could, email a pgp-signed or s/mime 
signed message containing the URLs and sha1 hashes of the files to some 
robot-address that would insert it into the "meta-index" if the 
credentials were ok.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2357 bytes
Desc: not available
Url : http://mail.python.org/pipermail/distutils-sig/attachments/20040129/3bb30aa6/smime.bin

More information about the Distutils-SIG mailing list