1. Richard Jones
  2. pypi-pep


Richard Jones  committed 4fc8dcc

explicitly state that the PEP does not currently address signature key revocation

  • Participants
  • Parent commits 688c426
  • Branches default

Comments (2)

  1. Daniel Holth

    We could arrange to have pip signed by multiple keys to mitigate the risk of key compromise. The bootstrap install would require n out of m trusted signatures to proceed.

  2. Richard Jones repo owner

    OK, that's something to discuss on the SIG I think, thanks. I'm far from an expert at such things and will be taking expert advice in the matter :-)

Files changed (1)


View file
  • Ignore whitespace
 standard library as the distlib module, and that pip would be modified to use
 that functionality when present. TODO PEP reference for distlib
+The key that is used to sign the pip implementation download might be
+compromised and this PEP currently proposes no mechanism for key revocation.