On September 7, 2015 at 9:38:00 PM, Donald Stufft ([email protected]) wrote: > > I'm OK with adding the attribute to links, though we should still > mandate the > location. Neither pip nor setuptools will do anything with the > PGP signatures > but some other tooling might. The legacy behavior of "just try > the link" will > still work then, and if someone wants to do it more efficiently > the attribute > is there. I'm not sure it's going to be generally useful since > the signing on > PyPI doesn't really have a coherent threat model so it doesn't > really protect > against much.
I’ve gone ahead and done this (see https://hg.python.org/peps/rev/9090e66cc8c7). I’m going to go ahead and accept this PEP now. I think any further modifications are going to go too far beyond the goal of documenting the current state of the API and would require PEPs in their own right. ----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA _______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
