Hi Currently we can upload signed packages on pypi. Shouldn't pip have a keyring of thrusted projects or developers and enforce whitelisting of untrusted packages, either through a requirement flag or through an interactive question in CLI? I think this would help with user security if we want to keep pypi open for upload to all on the long term. Thanks for your feedback
On Tue, 28 Jun 2022 at 21:02, J. Pic <jpic@yourlabs.org> wrote:
Hi
Currently we can upload signed packages on pypi.
Shouldn't pip have a keyring of thrusted projects or developers and enforce whitelisting of untrusted packages, either through a requirement flag or through an interactive question in CLI?
I think this would help with user security if we want to keep pypi open for upload to all on the long term.
Thanks for your feedback
How would a key get added to the whitelist? Would this unfairly block small developers from publishing their code? ChrisA
Le 28/06/2022 à 12:59, J. Pic a écrit :
Hi
Currently we can upload signed packages on pypi.
Shouldn't pip have a keyring of thrusted projects or developers and enforce whitelisting of untrusted packages, either through a requirement flag or through an interactive question in CLI?
I think this would help with user security if we want to keep pypi open for upload to all on the long term.
Thanks for your feedback
Shouldn't this be raised on the Pip tracker or on https://discuss.python.org/c/packaging? I thought this mailing list was for the Python language itself.
participants (3)
-
Chris Angelico
-
J. Pic
-
Jean Abou Samra