On Tue, Jul 16, 2013 at 13:57 -0400, Donald Stufft wrote: > On Jul 16, 2013, at 5:19 AM, holger krekel <hol...@merlinux.eu> wrote: > > > > > I am considering implementing gpg-signing and verification of release files > > for devpi. Rather than requiring package authors to sign their release > > files, i am pondering a scheme where anyone can vet for a particular > > published release file by publishing a signature about it. This aims > > to help responsible companies to work together. > > > So I'm not entirely sure what your goals are here.
The goal is to facilitate collaboration between individuals and companies in vetting the integrity and, to some degree, authenticity of a published pypi package. > What exactly are you verifying? What is going to verify signatures once you > have a (theoretically) trusted set? What is going to keep a malicious actor > from poisoning the well? These are typical questions which is why i asked if anyone knows about existing schemes/efforts. I guess most Linux distros do it already so if nothing comes up here PyPI-specific (what is the status of TUF, btw?) i am going to look into the distro's working models. One difference is that i want the vetting/signing to happen after publishing to allow for an incremental approach. cheers, holger
signature.asc
Description: Digital signature
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
