On May 12, 2016, at 04:34 PM, Donald Stufft wrote:
>So my response to this is, let's pretend for a minute that we have the
>greatest and most amazing setup for verifying that the key 0x6E3CBCE93372DCFA
>belongs to me. What's your next step? How do you verify that I'm allowed to
>release for pip?
On May 12, 2016 4:41 AM, "Donald Stufft" wrote:
>
[...]
> All in all, I think that there is not a whole lot of point to having this
> feature in PyPI, it is predicated a bunch of invalid assumptions (as
detailed
> above) and I do not believe end users are actually even using the keys
that
> are be
> On May 12, 2016, at 3:05 PM, Barry Warsaw wrote:
>
> On May 12, 2016, at 07:41 AM, Donald Stufft wrote:
>
>> I am aware of a single tool anywhere that actively supports verifying the
>> signatures that people upload to PyPI, and that is Debian's uscan
>> program. Even in that case the people
On May 12, 2016, at 07:41 AM, Donald Stufft wrote:
>I am aware of a single tool anywhere that actively supports verifying the
>signatures that people upload to PyPI, and that is Debian's uscan
>program. Even in that case the people writing the Debian watch file have to
>hardcode in a signing key i
On 2016-05-12 07:41:21 -0400 (-0400), Donald Stufft wrote:
[...]
> What do folks think? Would anyone be particularly against getting
> rid of the GPG support in PyPI?
We have plans[*] in the OpenStack community to start autosigning our
sdist and wheel builds (and similar release artifacts we build
> On May 12, 2016, at 8:56 AM, Nick Coghlan wrote:
>
> On 12 May 2016 at 21:41, Donald Stufft wrote:
>> Thus, I would like to remove this feature from PyPI (but not from PEP 503, if
>> other repositories want to continue to support it they are free to). Doing
>> this
>> would allow simplifying
On 12 May 2016 at 21:41, Donald Stufft wrote:
> Thus, I would like to remove this feature from PyPI (but not from PEP 503, if
> other repositories want to continue to support it they are free to). Doing
> this
> would allow simplifying code we have in Warehouse anyplace we touch uploaded
> files
> On May 12, 2016, at 8:05 AM, Paul Moore wrote:
>
> On 12 May 2016 at 12:41, Donald Stufft wrote:
>> What do folks think? Would anyone be particularly against getting rid of the
>> GPG support in PyPI?
>
> 28K projects is too many to do a mailshot, but would it be worth
> asking this question
On 12 May 2016 at 12:41, Donald Stufft wrote:
> What do folks think? Would anyone be particularly against getting rid of the
> GPG support in PyPI?
28K projects is too many to do a mailshot, but would it be worth
asking this question more widely than on distutils-sig? Just "Do you
maintain a proj
Currently, PyPI allows you to upload a GPG signature along with your package
file as well as associate a GPG Short ID with your user. Theoretically this
allows end users to not trust PyPI and instead validate end to end signatures
from the original author.
I've written [1] previously about package
10 matches
Mail list logo