GPG signatures invisible in new PyPI (was: Re: new Python Package Index is now in beta at pypi.org)
Sumana Harihareswara
sh at changeset.nyc
Sat Mar 31 22:21:02 EDT 2018
On 03/31/2018 06:26 PM, Dominik George wrote:
> Hi,
>
> On Sat, Mar 31, 2018 at 06:16:51PM -0400, Sumana Harihareswara wrote:
>> The new Python Package Index at https://pypi.org is now in beta.
>
> Yep!
>
> I read that the new Warehouse does not offer GPG signature files for
> download.
>
> Why not? How can I still get them (append .asc to the source downlaod?),
> and how do I find out whether an upload is signed?
>
> I am asking mainly as a Debian developer relying on upstream signatures.
>
> -nik
Thanks for your question, Nik.
Once the legacy site shuts down, GPG/PGP signatures for packages will no
longer be visible in PyPI's web UI. But signatures still appear in the
Simple Project API
https://warehouse.readthedocs.io/api-reference/legacy/#simple-project-api
per PEP 503 https://www.python.org/dev/peps/pep-0503/ .
Donald Stufft, who started Warehouse and is one of its core maintainers,
has made no secret of his opinion that "package signing is not the Holy
Grail"
https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/ , and
current discussion on the distutils-sig mailing list leans towards
further removing signing features from another part of the Python
packaging ecology (the wheel library)
https://mail.python.org/pipermail/distutils-sig/2018-March/032066.html .
There's other relevant discussion in
https://mail.python.org/pipermail/distutils-sig/2016-May/028933.html and
https://github.com/pypa/warehouse/issues/1439 and I believe
https://github.com/pypa/warehouse/pull/2172 .
This is a policy discussion that probably belongs on distutils-sig
and/or in the "packaging problems" issues repository, like in
https://github.com/pypa/packaging-problems/issues/15 . The people
working on Python packaging and distribution tools want to hear from you
and figure out a way forward that works for everyone, if possible.
I've been trying to reach out to the Debian Python community via IRC,
personal connections, tickets, and mailing lists to ensure a smooth
transition; I see now that a post I tried to get onto the debian-python
list a few weeks ago did not get posted there, so I've re-sent it. I'm
sorry that this is (I infer) the first you're hearing about this change.
--
Sumana Harihareswara
Warehouse project manager
Changeset Consulting
https://changeset.nyc
More information about the Python-list
mailing list