[Python-Dev] Signed packages (original) (raw)
Alexandre Zani alexandre.zani at gmail.com
Fri Jun 22 18:54:28 CEST 2012
- Previous message: [Python-Dev] Signed packages
- Next message: [Python-Dev] Signed packages
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Fri, Jun 22, 2012 at 9:35 AM, Donald Stufft <donald.stufft at gmail.com> wrote:
Ideally authors will be signing their packages (using gpg keys). Of course how to distribute keys is an exercise left to the reader.
Key distribution is the real issue though. If there isn't a key distribution infrastructure in place, we might as well not bother with signatures. PyPI could issue x509 certs to packagers. You wouldn't be able to verify that the name given is accurate, but you would be able to verify that all packages with the same listed author are actually by that author.
On Friday, June 22, 2012 at 11:48 AM, Vinay Sajip wrote: <martin v.loewis.de> writes:
See above. Also notice that such signing is already implemented, as part of PEP 381. BTW, I notice that the certificate for https://pypi.python.org/ expired a week ago ... Regards, Vinay Sajip
Python-Dev mailing list Python-Dev at python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/donald.stufft%40gmail.com
Python-Dev mailing list Python-Dev at python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/alexandre.zani%40gmail.com
- Previous message: [Python-Dev] Signed packages
- Next message: [Python-Dev] Signed packages
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]