[Python-ideas] Re: Pip & gpg story
Le 28/06/2022 à 12:59, J. Pic a écrit : Hi Currently we can upload signed packages on pypi. Shouldn't pip have a keyring of thrusted projects or developers and enforce whitelisting of untrusted packages, either through a requirement flag or through an interactive question in CLI? I think this would help with user security if we want to keep pypi open for upload to all on the long term. Thanks for your feedback Shouldn't this be raised on the Pip tracker or on https://discuss.python.org/c/packaging? I thought this mailing list was for the Python language itself. ___ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/RVZJQQ4N5ZRV4BLAF3JV7LDASUGZWG2J/ Code of Conduct: http://python.org/psf/codeofconduct/
[Python-ideas] Re: Pip & gpg story
On Tue, 28 Jun 2022 at 21:02, J. Pic wrote: > > Hi > > Currently we can upload signed packages on pypi. > > Shouldn't pip have a keyring of thrusted projects or developers and enforce > whitelisting of untrusted packages, either through a requirement flag or > through an interactive question in CLI? > > I think this would help with user security if we want to keep pypi open for > upload to all on the long term. > > Thanks for your feedback How would a key get added to the whitelist? Would this unfairly block small developers from publishing their code? ChrisA ___ Python-ideas mailing list -- python-ideas@python.org To unsubscribe send an email to python-ideas-le...@python.org https://mail.python.org/mailman3/lists/python-ideas.python.org/ Message archived at https://mail.python.org/archives/list/python-ideas@python.org/message/B7Z3GHOPDSW7GV4D3NBLMXK4G3B6AEGU/ Code of Conduct: http://python.org/psf/codeofconduct/