Re: GnuPG signatures on PyPI: why so few?

On Mar 12, 2017, at 11:46 AM, Ben Finney wrote: >What prospect is there in the Python community to get signed upstream >releases become the obvious norm? I don't know. Digital security seems to be mostly an afterthought unfortunately. I always use `twine upload --sign` so all my projects have

Re: GnuPG signatures on PyPI: why so few?

Donald Stufft: > >> On Mar 12, 2017, at 10:35 PM, Paul Wise wrote: >> >> On Mon, Mar 13, 2017 at 4:28 AM, Jeremy Stanley wrote: >> >>> upload them to PyPI since the authors of the coming Warehouse >>> replacement for the current CheeseShop PyPI have already indicated >>> that

Re: GnuPG signatures on PyPI: why so few?

Donald Stufft writes: > https://mail.python.org/pipermail/distutils-sig/2016-May/028933.html > "I am aware of a single tool anywhere that actively supports verifying the signatures that people upload

Re: GnuPG signatures on PyPI: why so few?

> On Mar 12, 2017, at 10:35 PM, Paul Wise wrote: > > On Mon, Mar 13, 2017 at 4:28 AM, Jeremy Stanley wrote: > >> upload them to PyPI since the authors of the coming Warehouse >> replacement for the current CheeseShop PyPI have already indicated >> that they intend to drop

Re: GnuPG signatures on PyPI: why so few?

On Mon, Mar 13, 2017 at 4:28 AM, Jeremy Stanley wrote: > upload them to PyPI since the authors of the coming Warehouse > replacement for the current CheeseShop PyPI have already indicated > that they intend to drop support for signatures entirely. Did they give any reasoning for this decision?

Re: GnuPG signatures on PyPI: why so few?

On 2017-03-12 11:46:31 +1100 (+1100), Ben Finney wrote: [...] > In response to polite requests for signed releases, some upstream > maintainers are now pointing to that thread and closing bug reports as > “won't fix”. > > What prospect is there in the Python community to get signed upstream >

Re: GnuPG signatures on PyPI: why so few?

Brian May writes: > Maybe there is some way of turning signatures on by default, so I don't > have to remember for every upload, if so, I haven't been able to work it > out yet however. I don't know how it should be done using the currently-recommended Twine tool. For

Re: GnuPG signatures on PyPI: why so few?

> On Mar 11, 2017, at 9:23 PM, Brian May wrote: > > Ben Finney writes: > >> However, this only works if upstream releases are actually accompanied >> by a valid GnuPG signature each time. The PyPI infrastructure supports >> this; why isn't it more widely

Re: GnuPG signatures on PyPI: why so few?

Ben Finney writes: > However, this only works if upstream releases are actually accompanied > by a valid GnuPG signature each time. The PyPI infrastructure supports > this; why isn't it more widely encouraged? One reason I have found for myself: I can forget to sign the

GnuPG signatures on PyPI: why so few?

Howdy all, What prospects are there for PyPI to have GnuPG-signed packages by default? Debian's UScan has the ability to find, download, and verify the GnuPG signature for a package source release. Lintian will remind the maintainer if a Debian source package is not taking advantage of this.