On Mon, Nov 19, 2012 at 1:45 PM, Tarek Ziadé <ta...@ziade.org> wrote:
> On 11/19/12 7:43 PM, Daniel Holth wrote: > > If pypi would also sign the public key, and possibly the metadata for a > particular release, that feature could be pretty cool. > > > why pip ? > It's the premier Python package manager. PyPI would sign the publisher's keys so that you could trust them without having to worry about the connection. You could mirror the expected keys this way. Key revocation is an unrelated issue. A revoked key is still revoked even if you can download a version of it that is not marked as revoked.
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
