On 2017-03-12 11:46:31 +1100 (+1100), Ben Finney wrote: [...] > In response to polite requests for signed releases, some upstream > maintainers are now pointing to that thread and closing bug reports as > “won't fix”. > > What prospect is there in the Python community to get signed upstream > releases become the obvious norm?
Speaking for OpenStack's tarballs at least, our sdists are built by release automation which also generates detached OpenPGP signatures so as to provide proof of provenance... but we don't upload them to PyPI since the authors of the coming Warehouse replacement for the current CheeseShop PyPI have already indicated that they intend to drop support for signatures entirely. We consider https://releases.openstack.org/ the official source of information for our release information and host our signatures there instead (well, really on https://tarballs.openstack.org/ with direct links from the former). The same key used to sign our tarballs (and wheels) also signs our Git tags, for added consistency. https://releases.openstack.org/#cryptographic-signatures Of possible further interest: we modeled a fair amount of our key management after what's employed for Debian's archive keys. -- Jeremy Stanley
Description: Digital signature