On 2026-02-12 10:40:20 +0100 (+0100), Johannes Schauer Marin Rodrigues wrote: [...]
I am upstream of some Python modules and have a bad feeling about using pypi since I got this email from them in October 2023:Subject: [PyPI] Unsupported GPG signature uploaded to PyPI
[...]
I have a bad feeling about a service which actively removed support for attaching a cryptographic signature to my upload. I have since dropped pypi as the source of my Debian Python packages and use my upstream git repo with signed tags instead.
Upstream in a lot of the Python-based projects I work on, when the writing was on the wall that PyPI (Cheeseshop and later Warehouse) maintainers considered artifact signatures useless and made noises about removing support for them in the future, we started publishing signatures for our sdist (source tarball) and wheel (binary) packages on a separate web site so that users and downstream distribution package maintainers could still verify the provenance of files retrieved from there or from PyPI. I know a lot of smaller projects can't afford to do that, but it served as a suitable compromise for us at least.
-- Jeremy Stanley
signature.asc
Description: PGP signature
