On 2016-05-12 07:41:21 -0400 (-0400), Donald Stufft wrote: [...]
What do folks think? Would anyone be particularly against getting rid of the GPG support in PyPI?
We have plans[*] in the OpenStack community to start autosigning our sdist and wheel builds (and similar release artifacts we build for other package ecosystems), so that we can track provenance and integrity through part of our release pipeline. I'm hoping to have that implemented in the next few months.
While also uploading these signatures to PyPI was seen as useful, we do already have another primary location we can publish detached signatures along with our release artifacts so I would probably just ignore the PyPI/twine-specific part of the work if this goes away.