[Distutils] [Catalog-sig] [Python-Dev] accept the wheel PEPs 425, 426, 427
Paul Moore
p.f.moore at gmail.com
Tue Nov 13 11:39:52 CET 2012
On 13 November 2012 10:26, M.-A. Lemburg <mal at egenix.com> wrote:
> I agree with Martin. If the point is to "to protect against cryptography
> that is not used", then not using the de-facto standard in signing
> open source distribution files, which today is PGP/GPG, misses that
> point :-)
>
I agree as well. For me, the main reason for cryptography not being used is
key distribution. Sure, I have a signed file, but without a key what's the
point? And if I'm creating a file, why sign it if I don't know how to
securely publish my key? So inventing a new signing infrastructure without
a key distribution process doesn't encourage me to use crypto at all...
> It's a good idea to check integrity, but that can be done using
> hashes.
>
+1 hashing is fine, and I don't have any problem with the hashing aspects
of the PEP.
Maybe the signing aspects could be deferred to a subsequent PEP, to be
thrashed out separately? I know Daniel has a strong interest in the signing
aspect, so I'm reluctant to suggest just dropping it, but I'd rather it not
be a showstopper for the rest of the current proposal.
Paul.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20121113/c3fbb4db/attachment.html>
More information about the Distutils-SIG
mailing list