On Thu, 6 Jul 2023 at 04:08, Gregory Disney <gregory.disney.leug...@gmail.com> wrote: > > Why not just use gpg signatures and maintain trusted signing keys? There’s no > reason to reinvent the wheel. If a user wants to use a unsigned or untrusted > packages, they have to accept the risk. >
As an alternative to a blockchain? No idea, but I've never considered blockchains to be useful for anything more than toys anyway. As an alternative to a curated package list? That just comes down to who holds the trusted keys, so it's the same as the other suggestions, only you're looking at the mechanics for knowing whether it's on the list, as opposed to the mechanics for figuring out which things go on the list - two sides of the same coin, pretty much. ChrisA _______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/ANBP64KBYAB3MXO4NQDNMQHSXM525ZTN/ Code of Conduct: http://python.org/psf/codeofconduct/