[Python-ideas] Signed eggs?
Paul Moore
p.f.moore at gmail.com
Fri Jul 10 12:18:16 CEST 2009
2009/7/10 Stefan Behnel <stefan_ml at behnel.de>:
> Tim Lesher wrote:
>> In all the current discussion on python-dev about improving eggs and
>> setuptools in general, I don't think I've seen anything regarding
>> digitally signed eggs or verifiable egg distribution. Google doesn't
>> seem to turn anything up, either.
>>
>> Has anyone put any thought into this?
>
> Well, you can sign all stuff that you upload to PyPI. It usually doesn't
> get verified on installation, though.
And you could write a PEP 302 installer to load & verify signed eggs.
Nothing new here, other than no-one has wanted to do it so far.
BTW, eggs and setuptools are a 3rd party package - there's nothing
about them in core Python. The discussions on python-dev are about
enhancing *distutils* - ironically, in a way that possibly reduces the
need for setuptools - and not about setptools. Setuptools isn't
appropriate for python-dev (the distutils SIG mailing list hosts
discussions about setuptools if you want to raise the subject there).
Paul.
More information about the Python-ideas
mailing list