Daniel Holth <dholth <at> gmail.com> writes: > That is why the original wheel signing design uses no GPG, a system that has > proven to be unused in practice.
It's not like there's some other PKI system which is so much easier to use that it's a no-brainer, such that it has widespread adoption with the type of user that Donald was talking about. A lot of it is that people are very happy to trade security for convenience, and you can't really have additional security with *no* loss of convenience (though that loss may be small). Why, most of us can't even be bothered to read on-line license terms and conditions, preferring to click the "I Agree" button as soon as it appears! In the Windows world, people are used to being prompted to accept a program publisher's identity verified by a code-signing certificate, just like an SSL certificate. Of course, you can have signed malware, as is in the news this week. With Python packages, you can't easily just trust one publisher, because of all the recursive dependencies a package pulls in. It's mostly a blessing, but not in this regard. Regards, Vinay Sajip _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
