At 07:20 PM 10/23/2005 +0200, Martin v. Löwis wrote: >When you have package dependencies, the using package could include the >key fingerprint of the expected signer of the used package. A user would >then only have to trust the "topmost" package author, to not include >malware in its own package, and to have verified the signer of the >lower packages for both identity and moral trustworthiness.
In this case, that person could simply distribute everything from their site, and the user can simply require all the downloads to come from that site using easy_install's --allow-hosts option. For example, since TurboGears distributes all its dependencies, I could trust only turbogears.org. Or, I could choose to trust anything from cheeseshop.python.org. In other words, host-based trust seems a lot easier to implement and almost as useful. _______________________________________________ Catalog-sig mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
