[Distutils] GnuPG signatures on PyPI: why so few?

Paul Moore p.f.moore at gmail.com
Sun Mar 12 07:49:16 EDT 2017

On 12 March 2017 at 07:15, Ben Finney <ben+python at benfinney.id.au> wrote:
>> If you can find a tool that is easy to install on Linux, Windows, and Mac,
>> which solves the problems above by virtue of having very good defaults, and
>> is accessible to anyone with less than a few hours to waste on it... Then
>> maybe I would collaborate to make it a requirement.
> No-one here has argued that it be a requirement as things stand now. I'm
> talking about encouraging it as a norm, by improving tool support to
> make it easier.

One tool that needs improvement to be easier to use for this to happen
is GPG itself. As a Windows user, I've "played" with it in the past,
and found it frustratingly difficult. It's fiddly to set up, it's not
officially supported on Windows, it's intrusive (needs an installer
rather than having a portable version), and doesn't give me any
assistance in managing the generated key that I might only need once
every year or two, and not always on the same machine (and at least
one of the machines involved has all access to "internet shared
storage" blocked).

If I were publishing code that was used extensively by others, and I
was being paid to set up a production quality distribution, then I'd
be fine with all this. But for putting up my hobby program for others
to take a look at if they are interested, it's way too much to expect.
(And I'd strongly resist suggestions that such hobby programs be
refused permission to publish on PyPI - everything that's available on
PyPI started off in just that way).


More information about the Distutils-SIG mailing list