[Distutils] GnuPG signatures on PyPI: why so few?

Steve Dower steve.dower at python.org
Sun Mar 12 14:57:49 EDT 2017

FWIW, I dropped a portable version into the windows-installer externals that are pulled down by the release scripts (from svn.p.o). It does require me to import my key on new machines, but since I don't use it for anything but re-signing the releases it's worth it to avoid all the intrusions.

So it's definitely possible, just a matter of finding and including the right dependencies to copy around.


Top-posted from my Windows Phone

-----Original Message-----
From: "Paul Moore" <p.f.moore at gmail.com>
Sent: ‎3/‎12/‎2017 7:36
To: "Ben Finney" <ben+python at benfinney.id.au>
Cc: "Distutils" <Distutils-Sig at python.org>
Subject: Re: [Distutils] GnuPG signatures on PyPI: why so few?

On 12 March 2017 at 12:13, Ben Finney <ben+python at benfinney.id.au> wrote:
>> As a Windows user, I've "played" with it in the past, and found it
>> frustratingly difficult.
> I hope many people here will find the guide published by the FSF, Email
> Self-Defense <URL:https://emailselfdefense.fsf.org/>, a useful walk
> through how to set it up properly.

That's about email, though, and as such irrelevant here. I have no
interest in setting up GPG for my email. Part of what I meant by
"intrusive" was "installs plugins for things like email and file
encryption that I don't want".

Part of my issue here is that people promoting signing tend to think
of it as a way of life, rather than as an annoying little extra step
that is needed for one specific activity (publishing to PyPI in the
context of this thread). There's essentially nothing written from the
POV of "you have no interest in signing, and are only doing it because
someone's insisting that you do - so here's how to do the least
possible to make them shut up". You may not agree with that attitude,
but it is very common in my experience, and documents that start by
trying to change the reader's opinion get discarded *remarkably* fast.

But this is way off-topic, so I'll refrain from saying anything more.

Distutils-SIG maillist  -  Distutils-SIG at python.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170312/5258d68e/attachment.html>

More information about the Distutils-SIG mailing list