[Distutils] vetting, signing, verification of release files

Vinay Sajip vinay_sajip at yahoo.co.uk
Wed Jul 17 09:48:46 CEST 2013

holger krekel <holger <at> merlinux.eu> writes:

> about existing schemes/efforts.  I guess most Linux distros do it already
> so if nothing comes up here PyPI-specific (what is the status of TUF, btw?)
> i am going to look into the distro's working models.

ISTM it works for distros because they're the central authority guaranteeing
the provenance of the software in their repos. It's harder with PyPI because
it's not a central authority curating the content. Perhaps something like a
web of trust would be needed.


Vinay Sajip

More information about the Distutils-SIG mailing list