June 28, 2022
7:27 p.m.
Le 28/06/2022 à 12:59, J. Pic a écrit :
Hi
Currently we can upload signed packages on pypi.
Shouldn't pip have a keyring of thrusted projects or developers and enforce whitelisting of untrusted packages, either through a requirement flag or through an interactive question in CLI?
I think this would help with user security if we want to keep pypi open for upload to all on the long term.
Thanks for your feedback
Shouldn't this be raised on the Pip tracker or on https://discuss.python.org/c/packaging? I thought this mailing list was for the Python language itself.