In data mercoledì 15 novembre 2023 15:58:15 CET, Jeremy Stanley ha scritto:
> why do you need to put an OpenPGP key on the service
> you're using to upload Python packages (not Debian packages) to
> PyPI, given that PyPI doesn't support uploading OpenPGP signatures
> anyway?
I need to create a .tar.gz and a .tar.gz.asc.
I am currently not using any service to upload to pypi. But this requires the
occasional creation and deletion of global tokens.
The only way to avoid global tokens is to upload from github, in which case I
can no longer sign the .tar.gz.
I was more referring to the fact that all the replies were insinuating that
I'm paranoid for not wanting to upload a privkey to some github service, and
that anyway signatures are useless so it doesn't matter.
Plus I find it very questionable that the choice is between creating a global
token and using github, but that's a different issue that I'm not optimist
about.
A signature isn't the same as a checksum. Probably nobody was using them
because there was no way to check them automatically.
Best
--
Salvo Tomaselli
"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di
senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
-- Galileo Galilei
https://ltworf.codeberg.page/Attachment:
signature.asc
Description: This is a digitally signed message part.