On Wed, Jul 17, 2013 at 21:46 -0400, Donald Stufft wrote: > As I've mentioned before an online key (as is required by PyPI) means > that if someone compromises PyPI they compromise the key. It seems to > me that TUF is really designed to handle the case of the Linux > distribution (or similar) where you have vetted maintainers who are > given a subsection of the total releases. However PyPI does not have > vetted authors nor the man power to sign authors keys offline.
If we had a person with a master key present at Pycon conferences, package maintainers could walk up and have their key signed. Given the many activities of the PSF and the community, i don't think it's off-limits. If we have sig-verified installs, there would be an incentive for authors to go for that little effort. best, holger
signature.asc
Description: Digital signature
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org http://mail.python.org/mailman/listinfo/distutils-sig
