On 13 February 2013 15:12, Giovanni Bajo <ra...@develer.com> wrote: > Yes, that's correct. GPG chain-of-trust concept is not used in my proposal, > because I don't think it would be a good fit for this problem given its > requirements. Specifically, I believe pip users should not be bothered with > useless click-through questions for each new package they install, which is > what you would get far too often in case chain-of-trust were used.
But this means someone that gets access to the PyPI server can just mark their own key as trusted and compromise any package they want. -Rob -- Robert Collins <rbtcoll...@hp.com> Distinguished Technologist HP Cloud Services _______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig
