Hi
Currently we can upload signed packages on pypi.
Shouldn't pip have a keyring of thrusted projects or developers and enforce whitelisting of untrusted packages, either through a requirement flag or through an interactive question in CLI?
I think this would help with user security if we want to keep pypi open for upload to all on the long term.
Thanks for your feedback