Scott, Thanks for your reply. I wrote about this at a little more length in https://mail.python.org/pipermail/python-list/2018-March/732329.html in response to a related question. But for more discussion on this particular point, the people you want to talk with are in the Python distribution/packaging SIG list, https://mail.python.org/mailman/listinfo/distutils-sig . Sorry to be pushing you to yet another list, but the in-depth answers you want, you're more likely to get there.
thanks, Sumana Harihareswara -- Sumana Harihareswara Warehouse project manager Changeset Consulting https://changeset.nyc On 03/31/2018 11:23 PM, Scott Kitterman wrote: > What replaces gpg for ensuring integrity of the uploaded code? > > Scott K > > On April 1, 2018 2:15:54 AM UTC, Sumana Harihareswara <s...@changeset.nyc> > wrote: >> Debian-Python experts, >> >> I'm writing to you in hopes you will forward this to the right places, >> and file relevant bugs against uscan/watch, which I don't quite >> understand enough to do myself. And if you want to follow up on >> https://github.com/pypa/warehouse/issues/358#issuecomment-337233792 and >> file a new issue asking for us to support your redirector more cleanly, >> I'd welcome that. >> >> I'm the project manager for the new Python Package Index (Warehouse), >> which is currently in beta at http://pypi.org/ . On the Warehouse >> roadmap[1], it looks like the full switch will happen sometime >> in April, so here's a heads-up about why we're switching, what's >> changed, and what to expect. (Much of it won't be directly important to >> you, but I figure you might want to know anyway!) >> >> The legacy PyPI site at https://pypi.python.org started in the early >> 2000s. In recent years, users faced outages, malicious packages, and >> spam attacks, and the legacy codebase made it hard to maintain and even >> harder to develop new features. >> >> The new PyPI has a far more modern look, and is up-to-date under the >> hood as well; a proper web framework (Pyramid), 100% backend test >> coverage, and a Docker-based development environment, make it easier >> for >> current and new developers to maintain it and add features. >> >> Thanks to Mozilla's Open Source Support funding[2], developers have >> added many new features, overhauled infrastructure, and made steady >> progress towards redirecting traffic to the new site and shutting down >> the old one. As of the middle of last year, package releases must go >> through the new PyPI, and as of late February, new user account >> registration is only available on the new site. The full switch will >> include redirecting browser and pip install traffic from the old site; >> then, sometime in late April or early May, the legacy site will be >> entirely shut down. >> >> Thanks to redirects, you may not have to change anything immediately. >> Here's a migration guide.[3] >> >> >> Some new PyPI features: >> * mobile-responsive UI >> * chronological release history for each project (example[4]) >> * easy-to-read project activity journal for project maintainers >> * better search and filtering >> * support for multiple project URLs (e.g., for a homepage and a >> repo[5]) >> * user-visible Gravatars and email addresses for maintainers >> * no need to "register" a project before initial upload >> * far better backend infrastructure, reducing the frequency of outages >> >> >> Things that are going away, or already have (sometimes for policy or >> spam-fighting reasons), include: >> * pythonhosted.com documentation hosting (pypa/warehouse#582[6]) >> * download counts visible in the API[7] (instead, use the Google >> BigQuery service[8]) >> * GPG/PGP signatures for packages (still visible in the Simple Project >> API[9] per PEP 503[10], but no longer visible in the web UI >> * key management: PyPI no longer has a UI for users to manage their GPG >> or SSH public keys >> * package maintainers being able to upload a new release via the web UI >> (instead, the recommended command-line tool is Twine[11]) >> * package maintainers being able to log in and update release >> descriptions via the web UI (to update release metadata, they need to >> upload a new release; see distutils-sig discussion[12]) >> * OpenID and Google auth login[13] >> * users being able to upload a package without verifying their email >> address with PyPI first >> * HTTP access to APIs; now it's HTTPS-only[14] >> >> >> And in the works: >> * PEP 541[15] will enable more timely package takeovers, as people get >> package names transferred to them after conflict resolution >> * Now that PEP 566 has been approved, developers are working to get >> Markdown supported for README files on PyPI[16] >> >> >> For future updates, please sign up for the low-traffic PyPI >> announcements email list[17]. >> >> Thank you for integrating with PyPI, and please let us know[18] if you >> have any questions or problems with the new site! >> -- >> Sumana Harihareswara >> Changeset Consulting >> https://changeset.nyc >> >> >> Links: >> >> 1. https://wiki.python.org/psf/WarehouseRoadmap >> 2. >> https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html >> 3. >> https://warehouse.readthedocs.io/api-reference/integration-guide/#migrating-to-the-new-pypi >> 4. https://pypi.org/project/pip/#history >> 5. >> https://packaging.python.org/tutorials/distributing-packages/#project-urls >> 6. https://github.com/pypa/warehouse/issues/582 >> 7. >> https://warehouse.readthedocs.io/api-reference/xml-rpc/#changes-to-legacy-api >> 8. >> https://packaging.python.org/guides/analyzing-pypi-package-downloads/ >> 9. >> https://warehouse.readthedocs.io/api-reference/legacy/#simple-project-api >> 10. https://www.python.org/dev/peps/pep-0503/ >> 11. http://twine.readthedocs.io/ >> 12. >> https://mail.python.org/pipermail/distutils-sig/2017-December/031826.html >> 13. >> https://mail.python.org/pipermail/distutils-sig/2018-January/031855.html >> 14. >> https://mail.python.org/pipermail/distutils-sig/2017-October/031712.html >> 15. https://www.python.org/dev/peps/pep-0541/ >> 16. https://github.com/pypa/warehouse/issues/869#issuecomment-340928703 >> 17. >> https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/ >> 18. https://github.com/pypa/warehouse/issues/new
