Oh sorry, having read the thread this spawned from I see you're taking about MS Windows singed binaries. Something I know next to nothing about, so ignore my babbling.
On 23 June 2012 11:52, Floris Bruynooghe <f...@devork.be> wrote: > On 22 June 2012 17:56, Donald Stufft <donald.stu...@gmail.com> wrote: >> On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote: >> >> Key distribution is the real issue though. If there isn't a key >> distribution infrastructure in place, we might as well not bother with >> signatures. PyPI could issue x509 certs to packagers. You wouldn't be >> able to verify that the name given is accurate, but you would be able >> to verify that all packages with the same listed author are actually >> by that author. >> >> I've been sketching out ideas for key distribution, but it's very much >> a chicken and egg problem, very few people sign their packages (because >> nothing uses it currently), and nobody is motivated to work on >> infrastructure >> or tooling because no one signs their packages. > > > I'm surprised gpg hasn't been mentioned here. I think these are all > solved problems, most free software that is signed signs it with the > gpg key of the author. In that case all that is needed is that the > cheeseshop allows the uploading of the signature. As for key > distribution, the keyservers take care of that just fine and we'd > probably see more and better attended signing parties at python > conferences. > > Regards, > Floris -- Debian GNU/Linux -- The Power of Freedom www.debian.org | www.gnu.org | www.kernel.org _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
