[Distutils] vetting, signing, verification of release files
holger krekel
holger at merlinux.eu
Tue Jul 16 11:19:00 CEST 2013
I am considering implementing gpg-signing and verification of release files
for devpi. Rather than requiring package authors to sign their release
files, i am pondering a scheme where anyone can vet for a particular
published release file by publishing a signature about it. This aims
to help responsible companies to work together. I've heart from devops/admins
that they manually download and check release files and then install
it offline after some vetting. Wouldn't it be useful to turn this
into a more collaborative effort?
Any thoughts or pointers to existing efforts within the (Python)
packaging ecologies?
best,
holger
More information about the Distutils-SIG
mailing list