On 13 November 2012 10:26, M.-A. Lemburg <mal at egenix.com> wrote: > I agree with Martin. If the point is to "to protect against cryptography > that is not used", then not using the de-facto standard in signing > open source distribution files, which today is PGP/GPG, misses that > point :-) > I agree as well. For me, the main reason for cryptography not being used is key distribution. Sure, I have a signed file, but without a key what's the point? And if I'm creating a file, why sign it if I don't know how to securely publish my key? So inventing a new signing infrastructure without a key distribution process doesn't encourage me to use crypto at all... > It's a good idea to check integrity, but that can be done using > hashes. > +1 hashing is fine, and I don't have any problem with the hashing aspects of the PEP. Maybe the signing aspects could be deferred to a subsequent PEP, to be thrashed out separately? I know Daniel has a strong interest in the signing aspect, so I'm reluctant to suggest just dropping it, but I'd rather it not be a showstopper for the rest of the current proposal. Paul. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.python.org/pipermail/python-dev/attachments/20121113/c3fbb4db/attachment.html>
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4