On 11/19/12 7:43 PM, Daniel Holth wrote:
If pypi would also sign the public key, and possibly the metadata for a particular release, that feature could be pretty cool.
why pip ?
On Mon, Nov 19, 2012 at 1:37 PM, Tarek Ziadé <ta...@ziade.org <mailto:ta...@ziade.org>> wrote:Hey I am currently writing a small script to verify that the gpg signature is correct when the --sign option is used with the Distutils upload command, and I was wondering why we don't publish the public key alongside the .asc file. Right now, unless I missed something, to verify a signature the user has to manually get the public key before she can control the tarball. Wouldn't it make sense to modify the upload command and add a .pubkey file alongside the archive file and the .asc file on PyPI ? (since we don't have a notion of team/users etc.) Cheers Tarek _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org <mailto:Catalog-SIG@python.org> http://mail.python.org/mailman/listinfo/catalog-sig
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
