On 11/19/12 8:03 PM, Daniel Holth wrote:
On Mon, Nov 19, 2012 at 1:45 PM, Tarek Ziadé <ta...@ziade.org
<mailto:ta...@ziade.org>> wrote:
On 11/19/12 7:43 PM, Daniel Holth wrote:
If pypi would also sign the public key, and possibly the metadata
for a particular release, that feature could be pretty cool.
why pip ?
It's the premier Python package manager.
PyPI would sign the publisher's keys so that you could trust them
without having to worry about the connection. You could mirror the
expected keys this way.
Key revocation is an unrelated issue. A revoked key is still revoked
even if you can download a version of it that is not marked as revoked.
But you don't upload packages on Pypi using Pip - since it's just the
installer - So I don't get the workflow
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
