[Distutils] Malicious packages on PyPI
Donald Stufft
donald at stufft.io
Thu Jun 1 21:06:59 EDT 2017
> On Jun 1, 2017, at 8:15 PM, Matt Joyce <matt at nycresistor.com> wrote:
>
> Or start doing signed pgp for package maintainers and build a transitive trust model.
>
PGP is not useful for our use case except as a generic crypto primitive, and there are better generic crypto primitives out there. See https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/ <https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/>
—
Donald Stufft
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170601/fd3874b8/attachment.html>
More information about the Distutils-SIG
mailing list