On May 12, 2016, at 8:05 AM, Paul Moore <p.f.moore@gmail.com> wrote:
On 12 May 2016 at 12:41, Donald Stufft <donald@stufft.io> wrote:
What do folks think? Would anyone be particularly against getting rid of the GPG support in PyPI?
28K projects is too many to do a mailshot, but would it be worth asking this question more widely than on distutils-sig? Just "Do you maintain a project on PyPI that has GPG sigs and would you care if we removed them? If so, please let us know on the thread on distutils-sig.”
It's 28k *files* but a single project can have more than one file. The total number of projects that have *ever* uploaded a file with a signature is 3.5k and of that 3.5k, only 2.7k projects have their *latest* release uploaded with signatures.
On an unrelated note, it might be a good feature for Warehouse to add some means of notifying project owners for cases like this. Paul
----------------- Donald Stufft PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA