On 19.11.2012 19:37, Tarek Ziadé wrote: > Hey > > > I am currently writing a small script to verify that the gpg signature is > correct when the --sign > option > is used with the Distutils upload command, and I was wondering why we don't > publish the public key > alongside the .asc file. > > Right now, unless I missed something, to verify a signature the user has to > manually get the public > key before she > can control the tarball. > > Wouldn't it make sense to modify the upload command and add a .pubkey file > alongside the archive file > and the .asc file on PyPI ? (since we don't have a notion of team/users etc.)
Doesn't that cause problems when revoking a public key ? -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source (#1, Nov 19 2012) >>> Python Projects, Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope/Plone.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
