Re: [Distutils] GnuPG signatures on PyPI: why so few?

2017-03-13 Thread Donald Stufft
> On Mar 14, 2017, at 1:48 AM, Glyph Lefkowitz wrote: > > 3. A simple signing scheme, like https://minilock.io > but for plaintext signatures rather than encryption > , could potentially address >

Re: [Distutils] GnuPG signatures on PyPI: why so few?

2017-03-13 Thread Glyph Lefkowitz
> On Mar 13, 2017, at 9:23 PM, Nick Coghlan wrote: > > On 14 March 2017 at 03:46, Steve Dower > wrote: > Another drive-by contribution: what if twine printed the hashes for anything > it uploads with a message

Re: [Distutils] GnuPG signatures on PyPI: why so few?

2017-03-13 Thread Nick Coghlan
On 14 March 2017 at 03:46, Steve Dower wrote: > Another drive-by contribution: what if twine printed the hashes for > anything it uploads with a message basically saying "here are the things > you should publish somewhere for this release so people can check the >

Re: [Distutils] PEP 426 moved back to Draft status

2017-03-13 Thread Nathaniel Smith
On Fri, Mar 10, 2017 at 7:55 AM, Nick Coghlan wrote: > On 11 March 2017 at 00:52, Nathaniel Smith wrote: >> >> On Fri, Mar 10, 2017 at 1:26 AM, Nick Coghlan wrote: >> > Hi folks, >> > >> > After a few years of dormancy, I've finally moved

Re: [Distutils] GnuPG signatures on PyPI: why so few?

2017-03-13 Thread Steve Dower
Another drive-by contribution: what if twine printed the hashes for anything it uploads with a message basically saying "here are the things you should publish somewhere for this release so people can check the validity of your packages after they download them"? I suspect many publishers have

[Distutils] FYI - "Trending" on Warehouse

2017-03-13 Thread Donald Stufft
Just an FYI, I’ve replaced the long stagnation “top downloads” on the Warehouse / pypi.org homepage with “Trending” projects. Since “trending” can mean a lot of different things as far as how it’s computed, here’s how I’m currently doing it [1]: Using a look back over the

Re: [Distutils] PEP 426 moved back to Draft status

2017-03-13 Thread Nick Coghlan
On 11 March 2017 at 14:17, Nick Coghlan wrote: > On 11 March 2017 at 07:03, Daniel Holth wrote: > >> You lost me a bit at 'extra sets'. FYI it is already possible to depend >> on your own extras in another extra. >> >> Extra pseudo code: >> spampackage >>

Re: [Distutils] Best practice to build binary wheels on Github+Travis and upload to PyPI

2017-03-13 Thread Ralf Gommers
On Mon, Mar 13, 2017 at 10:47 PM, Lele Gaifax wrote: > Hi all, > > I'd like to learn how to configure a project I keep on Github so that at > release time it will trigger a build of binary wheels for different > versions > of Python 3 and eventually uploading them to PyPI.

[Distutils] Best practice to build binary wheels on Github+Travis and upload to PyPI

2017-03-13 Thread Lele Gaifax
Hi all, I'd like to learn how to configure a project I keep on Github so that at release time it will trigger a build of binary wheels for different versions of Python 3 and eventually uploading them to PyPI. At first I tried to follow the Travis deploy instruction[1], but while that works for

Re: [Distutils] GnuPG signatures on PyPI: why so few?

2017-03-13 Thread Nick Coghlan
On 13 March 2017 at 05:51, Glyph Lefkowitz wrote: > To summarize: Even if we only cared about supplying package upstreams to > Debian (and that is a tiny part of PyPI's mission), right now, using the > existing tooling of uscan and lintian, the only security value that