On Tue, 28 Jun 2022 at 21:02, J. Pic <[email protected]> wrote: > > Hi > > Currently we can upload signed packages on pypi. > > Shouldn't pip have a keyring of thrusted projects or developers and enforce > whitelisting of untrusted packages, either through a requirement flag or > through an interactive question in CLI? > > I think this would help with user security if we want to keep pypi open for > upload to all on the long term. > > Thanks for your feedback
How would a key get added to the whitelist? Would this unfairly block small developers from publishing their code? ChrisA _______________________________________________ Python-ideas mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/B7Z3GHOPDSW7GV4D3NBLMXK4G3B6AEGU/ Code of Conduct: http://python.org/psf/codeofconduct/
