[Distutils] vetting, signing, verification of release files

[holger krekel]

I am considering implementing gpg-signing and verification of release files
for devpi.  Rather than requiring package authors to sign their release
files, i am pondering a scheme where anyone can vet for a particular 
published release file by publishing a signature about it.  This aims
to help responsible companies to work together.  I've heart from devops/admins
that they manually download and check release files and then install 
it offline after some vetting.  Wouldn't it be useful to turn this
into a more collaborative effort?

Any thoughts or pointers to existing efforts within the (Python) 
packaging ecologies?

best,
holger