Commits

Richard Jones  committed 4fc8dcc

explicitly state that the PEP does not currently address signature key revocation

  • Participants
  • Parent commits 688c426

Comments (2)

  1. Daniel Holth

    We could arrange to have pip signed by multiple keys to mitigate the risk of key compromise. The bootstrap install would require n out of m trusted signatures to proceed.

  2. Richard Jones repo owner

    OK, that's something to discuss on the SIG I think, thanks. I'm far from an expert at such things and will be taking expert advice in the matter :-)

Files changed (1)

File PEP-PIP-DRAFT.txt

 standard library as the distlib module, and that pip would be modified to use
 that functionality when present. TODO PEP reference for distlib
 
+The key that is used to sign the pip implementation download might be
+compromised and this PEP currently proposes no mechanism for key revocation.
+
 
 References
 ==========