[Distutils] Upload signature (and signing key) after package upload
Donald Stufft
donald at stufft.io
Mon Feb 23 01:05:47 CET 2015
> On Feb 22, 2015, at 6:55 PM, Nick Coghlan <ncoghlan at gmail.com> wrote:
>
>
> On 23 Feb 2015 09:50, "Ben Finney" <ben+python at benfinney.id.au <mailto:ben%2Bpython at benfinney.id.au>> wrote:
> >
> > Richard Jones <richard at python.org <mailto:richard at python.org>> writes:
> >
> > > Sorry, there's no facility at present for signing a file that's already
> > > uploaded.
> >
> > Thanks. I can now stop futilely trying to find it :-)
>
> Twine lets you at least separate signing from the build step, though: https://pypi.python.org/pypi/twine <https://pypi.python.org/pypi/twine>
> (Also, doesn't setup.py upload use HTTPS by default now? That part of the twine docs may need qualification)
>
>
Yes and no.
Some of the available Pythons have been updated to use a HTTPS connection, however they don’t verify them. Python 2.7.9 should (I believe, I haven’t actually tested this!) add verification to that. I think that Python 3.4.3 includes that as well (if 2.7.9 does then 3.2.3 should as well). That of course doesn't affect anyone using 2.6, 2.7.0-2.7.8, 3.2, 3.3, and 3.4.0-3.4.2.
There's an issue here about it: https://github.com/pypa/twine/issues/93
I'm not opposed to changing the wording, but I am opposed to changing it to something that makes it sound like, in general, it's now safe to use ``setup.py upload``, because it still isn’t unless you meet certain specific criteria (specifically you only ever interact with PyPI with the latest released version of 2.7).
---
Donald Stufft
PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20150222/9bc4036c/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mail.python.org/pipermail/distutils-sig/attachments/20150222/9bc4036c/attachment-0001.sig>
More information about the Distutils-SIG
mailing list