[Distutils] vetting, signing, verification of release files
zooko at zooko.com
Wed Jul 17 21:58:54 CEST 2013
In my opinion it is a good idea to embed, not just the *name* of the package
that your package depends on, but also the public key or public keys that your
package requires the depended-upon package to be signed by.
There was a time when wheel did this, using Ed25519 keys (which are nice and
small so it is easy to embed them directly into the metadata next to things
like URLs and Author Names).
I don't know if it still does. There's a PEP that mentions JWS signatures:
More information about the Distutils-SIG