[Distutils] vetting, signing, verification of release files
holger krekel
holger at merlinux.eu
Tue Jul 16 13:17:12 CEST 2013
On Tue, Jul 16, 2013 at 12:21 +0200, Jannis Leidel wrote:
> On 16.07.2013, at 11:19, holger krekel <holger at merlinux.eu> wrote:
>
> > Any thoughts or pointers to existing efforts within the (Python)
> > packaging ecologies?
>
> Erik Rose just released peep the other day [1], which admittedly doesn't use gpg but at least allows pip users to simplify the manual vetting process.
>
> Jannis
>
> 1: https://pypi.python.org/pypi/peep
thanks for the pointer, i actually saw that earlier. If i see it correctly
it does not target "vetting sharing": if a 1000 careful people want to install
Django-1.5.1.tar.gz they each need to do the verification work
individually, each creating their particular "requirements.txt" with
extra hashes.
best,
holger
More information about the Distutils-SIG
mailing list