Ben Finney <> writes:

> However, this only works if upstream releases are actually accompanied
> by a valid GnuPG signature each time. The PyPI infrastructure supports
> this; why isn't it more widely encouraged?

One reason I have found for myself: I can forget to sign the package
when uploading to PyPI, and PyPI doesn't let you make any changes after
the package is uploaded without changing the version (including adding
signature file). There is a long running bug report on this, it is not
going to get fixed (TLDR it is not a bug, it is a design feature to
allow for caching).

Maybe there is some way of turning signatures on by default, so I don't
have to remember for every upload, if so, I haven't been able to work it
out yet however.
Brian May <>

Reply via email to