[Distutils] GnuPG signatures on PyPI: why so few?

Nick Coghlan ncoghlan at gmail.com
Tue Mar 14 00:23:55 EDT 2017

On 14 March 2017 at 03:46, Steve Dower <steve.dower at python.org> wrote:

> Another drive-by contribution: what if twine printed the hashes for
> anything it uploads with a message basically saying "here are the things
> you should publish somewhere for this release so people can check the
> validity of your packages after they download them"?
> I suspect many publishers have never considered this is something they
> could or should do. Some very basic prompting could easily lead to it
> becoming part of the normal workflow.

Huh, and with most PyPI publishers using public version control systems,
their source control repo itself could even serve as "a trusted channel
that they control and the PyPI service can't influence". For example, the
artifact hashes could be written out by default to:


And if twine sees the hash file exists before it starts the upload, it
could complain that the given artifact had already been published even
before PyPI complains about it.


Nick Coghlan   |   ncoghlan at gmail.com   |   Brisbane, Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20170314/4fc4d861/attachment-0001.html>

More information about the Distutils-SIG mailing list