[Distutils] GnuPG signatures on PyPI: why so few?
Paul Moore
p.f.moore at gmail.com
Sun Mar 12 10:35:44 EDT 2017
On 12 March 2017 at 12:13, Ben Finney <ben+python at benfinney.id.au> wrote:
>
>> As a Windows user, I've "played" with it in the past, and found it
>> frustratingly difficult.
>
> I hope many people here will find the guide published by the FSF, Email
> Self-Defense <URL:https://emailselfdefense.fsf.org/>, a useful walk
> through how to set it up properly.
That's about email, though, and as such irrelevant here. I have no
interest in setting up GPG for my email. Part of what I meant by
"intrusive" was "installs plugins for things like email and file
encryption that I don't want".
Part of my issue here is that people promoting signing tend to think
of it as a way of life, rather than as an annoying little extra step
that is needed for one specific activity (publishing to PyPI in the
context of this thread). There's essentially nothing written from the
POV of "you have no interest in signing, and are only doing it because
someone's insisting that you do - so here's how to do the least
possible to make them shut up". You may not agree with that attitude,
but it is very common in my experience, and documents that start by
trying to change the reader's opinion get discarded *remarkably* fast.
But this is way off-topic, so I'll refrain from saying anything more.
Paul
More information about the Distutils-SIG
mailing list