On 2014-11-15 02:57:15 +0800 (+0800), Thomas Goirand wrote:
> Do you realize that with the TLS system, you have to trust every
> and all CA, while with PGP, you only need to trust a single
> fingerprint?

Technically not true *if* the package retrieval tools implement
certificate pinning rather than trusting any old CA (after all,
they're not Web browsers, so they could in theory do that with
minimal impact).

Too bad https://github.com/pypa/pip/issues/1168 hasn't gotten much
Jeremy Stanley

OpenStack-dev mailing list

Reply via email to