On 21 Feb 2013 06:57, "Donald Stufft" <donald.stu...@gmail.com> wrote: > > On Wednesday, February 20, 2013 at 3:50 PM, Daniel Holth wrote: >> >> Bikeshed detected. > > Basically. > > We basically can't use any of the properties of the various signing techs besides > their ability to sign documents so the choice of them doesn't particularly matter.
Not *quite* true - GPG comes with more mature client side tech for managing signing keys at the developer end, and that's independent of the PyPI trust model. Since it's a coin flip otherwise, that's probably going to be enough for us to favour GPG as the signing tech. In the spirit of "status quo wins a stalemate", GPG should currently be considered the default choice, with alternatives needing to offer genuinely compelling advantages to displace it. (note that isolating the signature generation and verification to a separate non-Python process isn't a major issue from my point of view) Cheers, Nick. > > > _______________________________________________ > Catalog-SIG mailing list > Catalog-SIG@python.org > http://mail.python.org/mailman/listinfo/catalog-sig >
_______________________________________________ Catalog-SIG mailing list Catalog-SIG@python.org http://mail.python.org/mailman/listinfo/catalog-sig