On Fri, Jun 22, 2012 at 9:56 AM, Donald Stufft <donald.stufft at gmail.com> wrote: > On Friday, June 22, 2012 at 12:54 PM, Alexandre Zani wrote: > > > Key distribution is the real issue though. If there isn't a key > distribution infrastructure in place, we might as well not bother with > signatures. PyPI could issue x509 certs to packagers. You wouldn't be > able to verify that the name given is accurate, but you would be able > to verify that all packages with the same listed author are actually > by that author. > > I've been sketching out ideas for key distribution, but it's very much > a chicken and egg problem, very few people sign their packages (because > nothing uses it currently), and nobody is motivated to work on > infrastructure > or tooling because no one signs their packages. Are those ideas available publicly? I would love to chip in.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4