On Tue, Jun 15, 2010 at 6:24 PM, Steven D'Aprano <st...@pearwood.info> wrote: > A digital signature is not an MD5 checksum, it may have actual legal > meaning in many countries equivalent to a pen and paper signature.
I would expect that verifying a package was signed by PyPI to mean no more than that the bits match what's available from PyPI for the same name. (Not sure if that's what's in the PEP, but that's what I'd be looking for.) We'd have to disclaim anything more than that. But it would be useful to verify that a package from a mirror was accurately mirrored. -Fred -- Fred L. Drake, Jr. <fdrake at gmail.com> "Chaos is the score upon which reality is written." --Henry Miller _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
