Martin v. Löwis wrote: >> Sorry if this is the wrong group (if it is, please redirect me to the >> proper list), but I'd like suggest that PyPI be available via SSL >> protection. > > Notice that it already supports SSH access for this very purpose.
Ah. For that, download tools should use the server signatures protocol, i.e. access (e.g.) http://pypi.python.org/serversig/roundup This will also allow to verify the authenticity of mirrors that follow PEP 381. Download tools should cache the server key (and might also chose to hard-code it). Exact roll-over procedures are not defined yet, but I plan to always sign the next key with the previous one. Regards, Martin _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
