[Distutils] Upload signature (and signing key) after package upload

[Nick Coghlan]

On 23 Feb 2015 10:05, "Donald Stufft" <donald at stufft.io> wrote:
>
>
>> On Feb 22, 2015, at 6:55 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>>
>>
>> On 23 Feb 2015 09:50, "Ben Finney" <ben+python at benfinney.id.au> wrote:
>> >
>> > Richard Jones <richard at python.org> writes:
>> >
>> > > Sorry, there's no facility at present for signing a file that's
already
>> > > uploaded.
>> >
>> > Thanks. I can now stop futilely trying to find it :-)
>>
>> Twine lets you at least separate signing from the build step, though:
https://pypi.python.org/pypi/twine
>>
>> (Also, doesn't setup.py upload use HTTPS by default now? That part of
the twine docs may need qualification)
>>
>>
>
> Yes and no.
>
> Some of the available Pythons have been updated to use a HTTPS
connection, however they don’t verify them. Python 2.7.9 should (I believe,
I haven’t actually tested this!) add verification to that. I think that
Python 3.4.3 includes that as well (if 2.7.9 does then 3.2.3 should as
well). That of course doesn't affect anyone using 2.6, 2.7.0-2.7.8, 3.2,
3.3, and 3.4.0-3.4.2.
>
> There's an issue here about it: https://github.com/pypa/twine/issues/93
>
> I'm not opposed to changing the wording, but I am opposed to changing it
to something that makes it sound like, in general, it's now safe to use
``setup.py upload``, because it still isn’t unless you meet certain
specific criteria (specifically you only ever interact with PyPI with the
latest released version of 2.7).

It's the qualifier that the latest versions of Python also have the
security fixed properly that I think would be worthwhile. Updating the
twine docs can likely wait until after 3.4.3 goes out, though.

Cheers,
Nick.

>
> ---
> Donald Stufft
> PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20150223/452ad619/attachment.html>