Hi Currently we can upload signed packages on pypi.
Shouldn't pip have a keyring of thrusted projects or developers and enforce whitelisting of untrusted packages, either through a requirement flag or through an interactive question in CLI? I think this would help with user security if we want to keep pypi open for upload to all on the long term. Thanks for your feedback
_______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/PHJ65UUQC6MSNJLHS5QG7ZPZBJ5PUSI4/ Code of Conduct: http://python.org/psf/codeofconduct/