On Tue, Feb 5, 2013 at 3:24 PM, Daniel Holth <dho...@gmail.com> wrote: > As long as you are trusting PyPI itself, a PyPI-hosted/signed/timestamped > SHA2 hash of the file to be downloaded from an external host would be enough > to detect tampering over time.
Hm. The discussion about signatures of files on the PSF list was so focused on how to make it simpler for the maintainers to sign the files that I forgot that we can have PyPI do it. That's quite a massive amount of work though, with thousands of sites to be crawled just to find the files. I really, seriously, think we need to get rid of the crawling though. Its' daft beyond absurdity. //Lennart _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
