In my opinion it is a good idea to embed, not just the *name* of the package that your package depends on, but also the public key or public keys that your package requires the depended-upon package to be signed by.
There was a time when wheel did this, using Ed25519 keys (which are nice and small so it is easy to embed them directly into the metadata next to things like URLs and Author Names). I don't know if it still does. There's a PEP that mentions JWS signatures: http://www.python.org/dev/peps/pep-0427/ Regards, Zooko _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
