[Distutils] PyPI and GPG Signatures
Jeremy Stanley
fungi at yuggoth.org
Thu May 12 09:32:12 EDT 2016
On 2016-05-12 07:41:21 -0400 (-0400), Donald Stufft wrote:
[...]
> What do folks think? Would anyone be particularly against getting
> rid of the GPG support in PyPI?
We have plans[*] in the OpenStack community to start autosigning our
sdist and wheel builds (and similar release artifacts we build for
other package ecosystems), so that we can track provenance and
integrity through part of our release pipeline. I'm hoping to have
that implemented in the next few months.
While also uploading these signatures to PyPI was seen as useful, we
do already have another primary location we can publish detached
signatures along with our release artifacts so I would probably just
ignore the PyPI/twine-specific part of the work if this goes away.
[*] http://specs.openstack.org/openstack-infra/infra-specs/specs/artifact-signing.html
--
Jeremy Stanley
More information about the Distutils-SIG
mailing list