Salvo Tomaselli <tipos...@tiscali.it> writes: > I am currently not using any service to upload to pypi. But this > requires the occasional creation and deletion of global tokens.
> The only way to avoid global tokens is to upload from github, in which > case I can no longer sign the .tar.gz. Well, you *can*, but you would have to then download the .tar.gz from PyPI, perform whatever checks you need to in order to ensure it is a faithful copy of the source release, and then sign it and put that .asc file somewhere (such as a GitHub release artifact). But it's an annoying process and I'm not sure anyone has automated it. > A signature isn't the same as a checksum. Probably nobody was using them > because there was no way to check them automatically. I suspect this chicken-and-egg problem is the heard of it. There are similar mechanisms for Perl modules that, last I checked, no one really used, although I think there was some recent movement towards maybe integrating it a bit more. It's very hard to create a critical mass of people who care enough to keep all the pieces working. PGP signatures definitely seem to be a minority interest among most upstream language communities. -- Russ Allbery (r...@debian.org) <https://www.eyrie.org/~eagle/>