June 28, 2022
4:11 a.m.
On Tue, 28 Jun 2022 at 21:02, J. Pic <jpic@yourlabs.org> wrote:
Hi
Currently we can upload signed packages on pypi.
Shouldn't pip have a keyring of thrusted projects or developers and enforce whitelisting of untrusted packages, either through a requirement flag or through an interactive question in CLI?
I think this would help with user security if we want to keep pypi open for upload to all on the long term.
Thanks for your feedback
How would a key get added to the whitelist? Would this unfairly block small developers from publishing their code? ChrisA