Re: [Distutils] GnuPG signatures on PyPI: why so few?

The big problem here, of course, is "key management"; what happens when someone throws their laptop in a river. https://github.com/ahf/teneo indicates to me that it may be possible to use a KDF to get an Ed25519 key from a passphrase that the user remembers, minilock-style, largely mitigating

Re: [Distutils] PEP 426 moved back to Draft status

On Tue, Mar 14, 2017 at 12:34 AM, Nick Coghlan wrote: > On 14 March 2017 at 09:41, Nathaniel Smith wrote: >> >> On Fri, Mar 10, 2017 at 7:55 AM, Nick Coghlan wrote: >> > On 11 March 2017 at 00:52, Nathaniel Smith wrote: >>

Re: [Distutils] GnuPG signatures on PyPI: why so few?

The wheel command implements but never fully realized the commands 'wheel keygen', 'wheel sign' for a bundled signature scheme (where the signature is inside the signed file) inspired by JAR signing and based on Ed25519 primitives + JSON web signature / JSON web key. The idea was to have wheel

Re: [Distutils] GnuPG signatures on PyPI: why so few?

On 14 March 2017 at 15:48, Glyph Lefkowitz wrote: > > 2. Except, as stated - i.e. hashes without signatures - this just means we > all trust Github rather than PyPI :). > Yeah, HTTPS would still be a common point of compromise - that kind of simple scheme would just let