[Distutils] PEP 503 - Simple Repository API

Donald Stufft donald at stufft.io
Thu Sep 24 18:03:36 CEST 2015

On September 7, 2015 at 9:38:00 PM, Donald Stufft (donald at stufft.io) wrote:
> > I'm OK with adding the attribute to links, though we should still  
> mandate the
> location. Neither pip nor setuptools will do anything with the  
> PGP signatures
> but some other tooling might. The legacy behavior of "just try  
> the link" will
> still work then, and if someone wants to do it more efficiently  
> the attribute
> is there. I'm not sure it's going to be generally useful since  
> the signing on
> PyPI doesn't really have a coherent threat model so it doesn't  
> really protect
> against much.

I’ve gone ahead and done this (see https://hg.python.org/peps/rev/9090e66cc8c7).

I’m going to go ahead and accept this PEP now. I think any further modifications are going to go too far beyond the goal of documenting the current state of the API and would require PEPs in their own right.

Donald Stufft
PGP: 0x6E3CBCE93372DCFA // 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA

More information about the Distutils-SIG mailing list