[Distutils] [tuf] Re: vetting, signing, verification of release files
Donald Stufft
donald at stufft.io
Thu Jul 18 03:54:25 CEST 2013
On Jul 17, 2013, at 9:52 PM, Justin Cappos <jcappos at poly.edu> wrote:
> If there is not a compromise of PyPI, then all updates happen essentially instantly.
>
> Developers that do not sign packages and so PyPI signs them, may have their newest packages remain unavailable for a period of up to 3 months *if there is a compromise of PyPI*.
Can you go into details about how things will graduate from unstable to stable instantly in a way that a compromise of PyPI doesn't also allow that?
>
> Thanks,
> Justin
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130717/e406d489/attachment.pgp>
More information about the Distutils-SIG
mailing list