On Tue, 28 Jun 2022 at 21:02, J. Pic <j...@yourlabs.org> wrote: > > Hi > > Currently we can upload signed packages on pypi. > > Shouldn't pip have a keyring of thrusted projects or developers and enforce > whitelisting of untrusted packages, either through a requirement flag or > through an interactive question in CLI? > > I think this would help with user security if we want to keep pypi open for > upload to all on the long term. > > Thanks for your feedback
How would a key get added to the whitelist? Would this unfairly block small developers from publishing their code? ChrisA _______________________________________________ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/B7Z3GHOPDSW7GV4D3NBLMXK4G3B6AEGU/ Code of Conduct: http://python.org/psf/codeofconduct/