On a general note: Trust in keys is a hard problem which people have tried to solve for 20-30 years now. We are not going to solve it here and now.
The only path forward when it comes to keys and signatures is that we ask people to trust a central key source. This is not a perfect solution, but the only one that is practical and feasible right now. Personally, I also see package signing as a "high-hanging fruit" in the security issues regarding the current state of Python packaging. In the interest of security and efficiency we should concentrate on the low-hanging fruits first. //Lennart _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
