[Distutils] [tuf] Re: vetting, signing, verification of release files

Trishank Karthik Kuppusamy tk47 at students.poly.edu
Thu Jul 18 03:50:12 CEST 2013


On 07/18/2013 09:34 AM, Justin Cappos wrote:
> My impression is this only holds for things signed directly by PyPI 
> because the developers have not registered a key.   I think that 
> developers who register keys won't have this issue.  Let's talk about 
> this when you return, but it's really projects / developers that will 
> be stable in the common case, not packages, right?
>
>

Yes, developers who register keys and have the stable role delegate 
their packages to themselves will not have this issue.

When I say "package", I mean what gets downloaded and installed when pip 
goes to PyPI to get a package with exactly the given name. I am not 
aware of a way to guide pip to install packages by projects (could you 
clarify what you mean by this?) or developers, but perhaps this might 
change in the future with PyPI metadata 2.0.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130718/61ac6e1a/attachment.html>


More information about the Distutils-SIG mailing list