[Distutils] Sooner or later, we're going to have to be more formal about how we name packages.

[Nick Coghlan]

On Sun, Jun 2, 2013 at 10:09 PM, Donald Stufft <donald at stufft.io> wrote:
> If we deploy some sort of end to end signing I think TUF is a good
> implementation of it.
>
> I'm not sold on the possibility of reasonably doing end to end signing here
> though.

I think in the long run it's a technology we want to offer, but even
with it deployed PyPI would continue to act as a trusted intermediary
in most cases. Effective key management is such a PITA that only a few
larger projects would be in a real position to take direct advantage
of end-to-end signing - for the remaining projects, trusting PyPI not
to get compromised is already the status quo.

Cheers,
Nick.

--
Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia