-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Currently setuptools allows to upload a PGP signature along the package, to be able to check integrity and security. As far as I know, currently "easy_install" doesn't check it. That is bad, but life sucks.
My problem now is with mirrors: How can anybody to validate files?. Beside the possible PGP signatures of authors (a check that should be integrated in "easy_install"), I would like PYPI main server (I guess it would be the single point where people upload new packages; the mirrors would be read-only) to digitally sign each uploaded package. This way, easy_install can check any package downloaded from any mirror, because PYPI public key would be a well known value. I have code in python to digitally sign/verify signatures using ElGamal algorithm. Any interest? - -- Jesus Cea Avion _/_/ _/_/_/ _/_/_/ [email protected] - http://www.jcea.es/ _/_/ _/_/ _/_/ _/_/ _/_/ jabber / xmpp:[email protected] _/_/ _/_/ _/_/_/_/_/ . _/_/ _/_/ _/_/ _/_/ _/_/ "Things are not so easy" _/_/ _/_/ _/_/ _/_/ _/_/ _/_/ "My name is Dump, Core Dump" _/_/_/ _/_/_/ _/_/ _/_/ "El amor es poner tu felicidad en la felicidad de otro" - Leibniz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iQCVAwUBSWI9YZlgi5GaxT1NAQLDFAQAjKWWmi9h3E4RvEupi03oAy839iCe7AO5 1nAHs+0aeQbQwskcUSD1RVZ4xP/AeJ+Gva1rvJfr7Ho41FD9WEFO/ErnHyGhEnL3 QK30lXbosnIWoqRiwXijrKtYp+9/pyixuDt7bL8hQ6ZBzgsOnknHaLJhDsNK+AMf KowdHXxsnPo= =eTrH -----END PGP SIGNATURE----- _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
