[Distutils] Malicious packages on PyPI

Donald Stufft donald at stufft.io
Thu Jun 1 21:06:59 EDT 2017

> On Jun 1, 2017, at 8:15 PM, Matt Joyce <matt at nycresistor.com> wrote:
> Or start doing signed pgp for package maintainers and build a transitive trust model.

PGP is not useful for our use case except as a generic crypto primitive, and there are better generic crypto primitives out there. See https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/ <https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/>

Donald Stufft

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170601/fd3874b8/attachment.html>

More information about the Distutils-SIG mailing list