Zitat von Lennart Regebro <rege...@gmail.com>:
It is, for Plone, a several hundred times operation. This is not a feasible path.
There is surely an obvious delegation of trust happening here. If plone has 100 dependencies, it is really the authors of plone itself which declared that they trust these packages; the end user in turn trusts the plone developers (both in their own code, and in their dependencies). So it's really the plone "top level" package which needs to declare e.g. what PGP keys should have signed those dependencies. E.g. the Plone package (4.2) depends on 13 other packages. It's IMO not asked too much to have the author of this package (which happens to be "Plone Foundation") to declare what GPG key ought to sign each of these 13 dependencies, e.g. by including a key ring of trusted public keys for the dependencies. Regards, Martin _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
