Zitat von Hynek Schlawack :
Am 23.06.12 14:03, schrieb mar...@v.loewis.de:
I'm surprised gpg hasn't been mentioned here. I think these are all
solved problems, most free software that is signed signs it with the
gpg key of the author. In that case all that is needed is that the
cheeseshop a
Am 23.06.12 14:03, schrieb mar...@v.loewis.de:
>> I'm surprised gpg hasn't been mentioned here. I think these are all
>> solved problems, most free software that is signed signs it with the
>> gpg key of the author. In that case all that is needed is that the
>> cheeseshop allows the uploading o
I'm surprised gpg hasn't been mentioned here. I think these are all
solved problems, most free software that is signed signs it with the
gpg key of the author. In that case all that is needed is that the
cheeseshop allows the uploading of the signature.
For the record, the cheeseshop has been
Oh sorry, having read the thread this spawned from I see you're taking
about MS Windows singed binaries. Something I know next to nothing
about, so ignore my babbling.
On 23 June 2012 11:52, Floris Bruynooghe wrote:
> On 22 June 2012 17:56, Donald Stufft wrote:
>> On Friday, June 22, 2012 at 12
On 22 June 2012 17:56, Donald Stufft wrote:
> On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote:
>
> Key distribution is the real issue though. If there isn't a key
> distribution infrastructure in place, we might as well not bother with
> signatures. PyPI could issue x509 certs to packag
Not at the moment, but I could gather them up and make them public later today.
They
are very rough draft at the moment.
On Friday, June 22, 2012 at 1:09 PM, Alexandre Zani wrote:
> On Fri, Jun 22, 2012 at 9:56 AM, Donald Stufft (mailto:donald.stu...@gmail.com)> wrote:
> > On Friday, June 22,
On Fri, Jun 22, 2012 at 9:56 AM, Donald Stufft wrote:
> On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote:
>
>
> Key distribution is the real issue though. If there isn't a key
> distribution infrastructure in place, we might as well not bother with
> signatures. PyPI could issue x509 cer
On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote:
>
> Key distribution is the real issue though. If there isn't a key
> distribution infrastructure in place, we might as well not bother with
> signatures. PyPI could issue x509 certs to packagers. You wouldn't be
> able to verify that the
On Fri, Jun 22, 2012 at 9:35 AM, Donald Stufft wrote:
> Ideally authors will be signing their packages (using gpg keys). Of course
> how to distribute keys is an exercise left to the reader.
Key distribution is the real issue though. If there isn't a key
distribution infrastructure in place, we m
Ideally authors will be signing their packages (using gpg keys). Of course
how to distribute keys is an exercise left to the reader.
On Friday, June 22, 2012 at 11:48 AM, Vinay Sajip wrote:
> v.loewis.de (http://v.loewis.de)> writes:
>
> >
> > See above. Also notice that such signing is alre
v.loewis.de> writes:
>
> See above. Also notice that such signing is already implemented, as part
> of PEP 381.
>
BTW, I notice that the certificate for https://pypi.python.org/ expired a week
ago ...
Regards,
Vinay Sajip
___
Python-Dev mailing
Zitat von Antoine Pitrou :
On Fri, 22 Jun 2012 12:27:19 +0100
Paul Moore wrote:
Signed binaries may be a solution. My experience with signed binaries
has not been exactly positive, but it's an option. Presumably PyPI
would be the trusted authority? Would PyPI and the downloaders need to
use
On Fri, 22 Jun 2012 12:27:19 +0100
Paul Moore wrote:
>
> Signed binaries may be a solution. My experience with signed binaries
> has not been exactly positive, but it's an option. Presumably PyPI
> would be the trusted authority? Would PyPI and the downloaders need to
> use SSL? Would developers
13 matches
Mail list logo
