Re: RFC: advise against using Proton Mail for Debian work?
Salvo Tomaselli <tiposchi@tiscali.it> writes:
> I am currently not using any service to upload to pypi. But this
> requires the occasional creation and deletion of global tokens.
> The only way to avoid global tokens is to upload from github, in which
> case I can no longer sign the .tar.gz.
Well, you *can*, but you would have to then download the .tar.gz from
PyPI, perform whatever checks you need to in order to ensure it is a
faithful copy of the source release, and then sign it and put that .asc
file somewhere (such as a GitHub release artifact).
But it's an annoying process and I'm not sure anyone has automated it.
> A signature isn't the same as a checksum. Probably nobody was using them
> because there was no way to check them automatically.
I suspect this chicken-and-egg problem is the heard of it. There are
similar mechanisms for Perl modules that, last I checked, no one really
used, although I think there was some recent movement towards maybe
integrating it a bit more. It's very hard to create a critical mass of
people who care enough to keep all the pieces working.
PGP signatures definitely seem to be a minority interest among most
upstream language communities.
--
Russ Allbery (rra@debian.org) <https://www.eyrie.org/~eagle/>
Reply to: