[Distutils] vetting, signing, verification of release files

holger krekel holger at merlinux.eu
Tue Jul 16 13:17:12 CEST 2013

On Tue, Jul 16, 2013 at 12:21 +0200, Jannis Leidel wrote:
> On 16.07.2013, at 11:19, holger krekel <holger at merlinux.eu> wrote:
> > Any thoughts or pointers to existing efforts within the (Python) 
> > packaging ecologies?
> Erik Rose just released peep the other day [1], which admittedly doesn't use gpg but at least allows pip users to simplify the manual vetting process.
> Jannis
> 1: https://pypi.python.org/pypi/peep

thanks for the pointer, i actually saw that earlier.  If i see it correctly
it does not target "vetting sharing": if a 1000 careful people want to install
Django-1.5.1.tar.gz they each need to do the verification work
individually, each creating their particular "requirements.txt" with
extra hashes.


More information about the Distutils-SIG mailing list