-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 W dniu 05.02.2013 20:21, Christian Heimes pisze: > User installs package --------------------- > > process: - <tool> retrieves the package and the combined signature > file (PyPI's signature, metadata file and embedded signature of the > uploader) - <tool> optionally downloads missing GPG keys from PyPI > - <tool> verifies PyPIs signature of the metadata file and then > the uploader's signature of the content - on success <tool> install > the package > > The verification process needs some interaction with the > downloader. She must accept and establish a trust level with each > key. This needs to be discussed in detail.
Perhaps this part could be handled by (still unimplemented) distrust system that I'm writing https://github.com/zyga/distrust Thanks ZK -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJREWPyAAoJECiU6TooxntHcBAP/0LjXzLIWq9evHOzDPiOhVNf PIBTw15aGb9SlJ9YsXfkyylTOChp1VhSyT1PL7sXUP7TpXD9G/tOKmzvCxemZnFW cSSutv1UpgGo93AJtMWt96a1i4WUsXvJOZC2IxUDPwN7McQnQlxgIT6dGjGi5w1Q MFjt1kyNZK9eDgf6Nt8O+tBVIwO4rMUlhhSEWbAGJTToAkf/VvXx4GKoUTYRlM9C vL3nbbalCo6C+/rUgBdwvA2dRTSnh89qwfVgQkZI7BCPiUxzitdpadhnhFiugQrc CqSb5rlklTd3U/y5IC2PI62P+q/824aLrlFSG7WqCVccVH+LLQliDHyV3ZbIrEBH 2c6Soc7tzi9klHq+HGq9ZPipZxjLcjgbcm3Y19cuMT54uDYVwlPl/gYqOBgYaVlC 6W9Fg0KKMChdc/P8bwTIV7pt9kqsEclWcPj68KqD3morVrZreING5vWVDKZfazp6 XRYxJPd2679AYIK86BrWW6jIZvASwybuND293Pb07SAWJ2XeuQnzoZT4yoF1m9D3 Ed8YEuMogmUWPr+P7EHSJQYZ96+vonm+q14+mn8FLQW2B2ox/TalbLa5UP5vndZd RF8bFcJBKTQ8bvoXfi/sT8559aqlFkz4TBNgvR18WbkJ083NUT6FLEtCFks4o8Qe iLoPm4tJj7iTc4Zre+I7 =LLV2 -----END PGP SIGNATURE----- _______________________________________________ Catalog-SIG mailing list [email protected] http://mail.python.org/mailman/listinfo/catalog-sig
