On Mon, Apr 19, 2010 at 11:51 PM, "Martin v. Löwis" <[email protected]> wrote: > > About the only approach I can think of is PGP signing by the actual > package authors, which is already supported in PyPI (but not in > setuptools/distribute, AFAIK). We could strengthen this with our own web > of trust within the community of PyPI users, which would take > some time to setup. We could also encourage the use of CACert user > certificates for code signing in stead/in addition.
IIRC the biggest hole with PyPI and setuptools for now is that it doesn't allow to execute "setup.py bdist register upload" without saving password in clear form on user system. CCed to catalog-sig. Let's see if it will bounce. -- anatoly t. _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
