[Distutils] Malicious packages on PyPI
Matt Joyce
matt at nycresistor.com
Thu Jun 1 22:33:52 EDT 2017
I was more pushing for the transitive trust element than signing. That
being said, any signing at all would be progress.
On Jun 1, 2017 9:07 PM, "Donald Stufft" <donald at stufft.io> wrote:
On Jun 1, 2017, at 8:15 PM, Matt Joyce <matt at nycresistor.com> wrote:
Or start doing signed pgp for package maintainers and build a transitive
trust model.
PGP is not useful for our use case except as a generic crypto primitive,
and there are better generic crypto primitives out there. See
https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/
—
Donald Stufft
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170601/df9b118f/attachment-0001.html>
More information about the Distutils-SIG
mailing list