[Distutils] GnuPG signatures on PyPI: why so few?

Donald Stufft donald at stufft.io
Tue Mar 14 01:55:08 EDT 2017

> On Mar 14, 2017, at 1:48 AM, Glyph Lefkowitz <glyph at twistedmatrix.com> wrote:
> 3. A simple signing scheme, like https://minilock.io <https://minilock.io/> but for plaintext signatures rather than encryption <https://github.com/kaepora/miniLock/issues/198>, could potentially address this problem.

This is basically the plan, using it in conjunction with TUF for the fiddly bits (Because simply signing files isn’t good enough).

Donald Stufft

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170314/24c89099/attachment.html>

More information about the Distutils-SIG mailing list