[Catalog-sig] Proposal: close the PyPI file-replacement loophole
richard at python.org
Wed Feb 1 03:30:11 CET 2012
On 1 February 2012 13:08, Toshio Kuratomi <a.badger at gmail.com> wrote:
> One problem I've encountered that "requires" re-uploading is forgetting to
> sign my sdists when doing python setup.py sdist upload. There's probably
> a way to use the webui to add the signature after the fact but I haven't
> found a way to sign the existing sdist and upload that signature from the
> command line.
That facility does not exist.
I believe it shouldn't be difficult in the current pypi code to allow
a re-run of the file_upload action (either through the form or through
distutils) where the signature is present and attach the signature to
the existing file, assuming they file accompanying the signature
upload is identical to the existing file.
More information about the Catalog-SIG