On 11/20/12 1:49 PM, "Martin v. Löwis" wrote:
Am 19.11.12 19:37, schrieb Tarek Ziadé:
Wouldn't it make sense to modify the upload command and add a .pubkey
file alongside the archive file
and the .asc file on PyPI ? (since we don't have a notion of team/users
etc.)
Each user is supposed to provide his PGP key ID. For those that did, we
could fetch them from the key server.
In some projects we have several owners and maintainers, so I am not sure
how we can decide which key to use. The initial owner ?
Maybe we'd need to add a project <> key relation that's set by default
to the initial owner's key, but could be change afterwards.
But as other said, if we start to add those features, we are going to
hit all
the PKI issues - like the need to be able to revoke keys etc.
OTOH, users can also fetch them
themselves.
In PGP, keys should really be on the key servers, rather than having
distributed copies, since they get updated (e.g. when counter-signed
or revoked).
This sounds more robust. I will investigate and see if I can come up
with a set of good practice here.
Regards,
Martin
_______________________________________________
Catalog-SIG mailing list
Catalog-SIG@python.org
http://mail.python.org/mailman/listinfo/catalog-sig
