[Pythonmac-SIG] Package Manager idea, adding a URL scheme

[Eric Nieuwland]

I've been catching up on this thread a bit and I'm under the impression 
that there meybe a mix-up on authentication needs when making packages 
available.

First there the maintainer of the PackMan database needs to be assured 
that the source can be trusted. As there can be many sources, this is a 
hard problem and ultimately would require a full-blown PKI. Now I can 
hardly imagine anyone would like to set-up a PKI just for fun. PGP 
probably is the way to go here.

Then there is the end-user who has to be convinced s/he can trust the 
PackMan database and the packages obtained through it. The discussion 
on MD5/SHA-1 and SSL seem to cover that fine.

Bottom line is I would not try to implement a single mechanism and use 
it for both situations.

Just my 10c.

--eric