28 Jun
2022
28 Jun
'22
3:59 a.m.
Hi Currently we can upload signed packages on pypi. Shouldn't pip have a keyring of thrusted projects or developers and enforce whitelisting of untrusted packages, either through a requirement flag or through an interactive question in CLI? I think this would help with user security if we want to keep pypi open for upload to all on the long term. Thanks for your feedback
639
Age (days ago)
639
Last active (days ago)
2 comments
3 participants
participants (3)
-
Chris Angelico
-
J. Pic
-
Jean Abou Samra