On 2017-03-12 11:46:31 +1100 (+1100), Ben Finney wrote:
> In response to polite requests for signed releases, some upstream
> maintainers are now pointing to that thread and closing bug reports as
> “won't fix”.
> What prospect is there in the Python community to get signed upstream
> releases become the obvious norm?

Speaking for OpenStack's tarballs at least, our sdists are built by
release automation which also generates detached OpenPGP
signatures so as to provide proof of provenance... but we don't
upload them to PyPI since the authors of the coming Warehouse
replacement for the current CheeseShop PyPI have already indicated
that they intend to drop support for signatures entirely. We
consider https://releases.openstack.org/ the official source of
information for our release information and host our signatures
there instead (well, really on https://tarballs.openstack.org/ with
direct links from the former).

The same key used to sign our tarballs (and wheels) also signs our
Git tags, for added consistency.
Of possible further interest: we modeled a fair amount of our key
management after what's employed for Debian's archive keys.
Jeremy Stanley

Attachment: signature.asc
Description: Digital signature

Reply via email to