Currently we can upload signed packages on pypi.

Shouldn't pip have a keyring of thrusted projects or developers and enforce whitelisting of untrusted packages, either through a requirement flag or through an interactive question in CLI?

I think this would help with user security if we want to keep pypi open for upload to all on the long term.

Thanks for your feedback