I would not be digitally signing anything I didn't create unless I had
good legal advice that it was safe to do so.
I'm actually not worried about this. In my own country, a valid digital
signature requires much more than invocation of the RSA algorithm. E.g.
available of certain certified information about the key holder is
necessary (including some identification of the key holder). The PyPI
signatures don't include any identification information.
Also, the only thing that *does* get signed are the simple index pages,
and indeed, I not only sign them, I also generate them.
Regards,
Martin
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
