-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 W dniu 06.02.2013 21:55, Lennart Regebro pisze: > On Wed, Feb 6, 2013 at 9:50 PM, <mar...@v.loewis.de> wrote: >> There is surely an obvious delegation of trust happening here. If >> plone has 100 dependencies, it is really the authors of plone >> itself which declared that they trust these packages; the end >> user in turn trusts the plone developers (both in their own code, >> and in their dependencies). >> >> So it's really the plone "top level" package which needs to >> declare e.g. what PGP keys should have signed those >> dependencies. >> >> E.g. the Plone package (4.2) depends on 13 other packages. It's >> IMO not asked too much to have the author of this package (which >> happens to be "Plone Foundation") to declare what GPG key ought >> to sign each of these 13 dependencies, e.g. by including a key >> ring of trusted public keys for the dependencies. > > Right, but then we are again back to trusting a central authority, > in this case plone.org. If we can trust plone.org, why can't we > trust Python.org?
Because presumably plone foundation looks at the dependency list and cares. Nobody here suggested that PSF should actively check what is being uploaded to pypi. Thanks ZK -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJREsPMAAoJECiU6TooxntHPuAQAKlD6HzqsnsyPQ/QxXqFVUfX xa+lsO53IRCuN4Lk0C+UP9Uv/yuznM/86/p7Si86dbZwsgQJf1en6oadCU+OFkRK ibV1DBVrongzVBNncrlhPY4rV58bkadk+16HXsGJfZu7BH0pLVzsMtJ+B2kU1rmd AX2je5lSAnJS6nPkaLNwjFx5TXa7ygvXXH6pu5LWpoyiLdNivtHCwy5cfVhfO+xB 1yfYddtLVnxZVtuWmkiKesHRWABrc6XUJqPgd9l9LmDx5GhJlkgL5fdziIE5Mxyo YDzetkIoc0UyZJad0RGUco8RpOOarlmXETPlxHE6omZ/GQMgDUOM8AhXNOdCB1Wh BtBNZoyRFquadPjpLmD381Yiou6TUwULIXSQiwv+Lf0qMQ1TX7FuMK8yQv0zl275 eIvHB5DoJ0BHxeYUGxAg4yBtiM+9MsRp9gwdxoTUBkqlgbVaIS8k0HAqTeiTJj3I QlNE2y4h/c3EfKqEDYn9DArgPYLgNyX+g/0mqzW4eiU/fWsJ8NJFbCQYNyNxdV4p xvOz/umeg88bKW4XE2dYx5UVb6IMLLC5CDOKmNKj1Wl2g+4nJAajM+qCovxPf+aM 367Xr6EaMDMVG9+d5o+AVIW2ylRaMY4DJsZbJh2HjAdNhlxhj81JT6SMB2ChbHCk GKcyAN/wTXGyaWeTbXVF =fXMn -----END PGP SIGNATURE----- _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
