On Sat, Apr 4, 2015 at 6:07 PM, Steve Dower <steve.do...@microsoft.com> wrote: > There's no problem, per se, but initially it was less trouble to use the > trusted PSF certificate and native support than to add an extra step using a > program I don't already use and trust, am restricted in use by my employer > (because of the license and the fact there are alternatives), and developing > the trust in a brand new certificate. > > Eventually the people saying "do it" will win through sheer persistence, > since I'll get sick of trying to get a more detailed response and just > concede. Not sure if that's how we want to be running the project though...
I don't get the impression that there's any particularly detailed rationale that people aren't giving you; it's just that to the average python-dev denizen, gpg-signing seems to provide some mild benefits and with no downside. The certificate trust issue isn't a downside, just a mild dilution of the upside. And I suspect python-dev generally doesn't put much weight on the extra effort required (release managers have all been using gpg for decades, it's pretty trivial), or see any reason why Microsoft's internal GPL-hate should have any effect on the PSF's behaviour. Though it's kinda inconvenient for you, obviously. (I guess you could call Larry or someone, read them a hash over the phone, and then have them create the actual gpg signatures.) -n _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com