[Distutils] vetting, signing, verification of release files

holger krekel holger at merlinux.eu
Tue Jul 16 11:19:00 CEST 2013

I am considering implementing gpg-signing and verification of release files
for devpi.  Rather than requiring package authors to sign their release
files, i am pondering a scheme where anyone can vet for a particular 
published release file by publishing a signature about it.  This aims
to help responsible companies to work together.  I've heart from devops/admins
that they manually download and check release files and then install 
it offline after some vetting.  Wouldn't it be useful to turn this
into a more collaborative effort?

Any thoughts or pointers to existing efforts within the (Python) 
packaging ecologies?


More information about the Distutils-SIG mailing list