[Distutils] [tuf] Re: vetting, signing, verification of release files

Donald Stufft donald at stufft.io
Thu Jul 18 03:54:25 CEST 2013

On Jul 17, 2013, at 9:52 PM, Justin Cappos <jcappos at poly.edu> wrote:

> If there is not a compromise of PyPI, then all updates happen essentially instantly.  
> Developers that do not sign packages and so PyPI signs them, may have their newest packages remain unavailable for a period of up to 3 months *if there is a compromise of PyPI*.   

Can you go into details about how things will graduate from unstable to stable instantly in a way that a compromise of PyPI doesn't also allow that?

> Thanks,
> Justin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20130717/e406d489/attachment.pgp>

More information about the Distutils-SIG mailing list