[Distutils] [tuf] Re: vetting, signing, verification of release files
donald at stufft.io
Thu Jul 18 03:54:25 CEST 2013
On Jul 17, 2013, at 9:52 PM, Justin Cappos <jcappos at poly.edu> wrote:
> If there is not a compromise of PyPI, then all updates happen essentially instantly.
> Developers that do not sign packages and so PyPI signs them, may have their newest packages remain unavailable for a period of up to 3 months *if there is a compromise of PyPI*.
Can you go into details about how things will graduate from unstable to stable instantly in a way that a compromise of PyPI doesn't also allow that?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Distutils-SIG