Hello, You have a system that is an insane overkill. I'm one guy with one computer and no funding to do any of this. The maintainer of pypi stated that the issue of the global token being needed is fixed. But it is fixed IIF you upload via github's CI. But I want to sign things and I want the pypi thing to be identical to the one that I sign. So some other user suggested that I should upload an easy to revoke key and use that one to sign. In the end pypi's security got worse because I used to type in my password to upload, while now I am forced to keep it in a plain text .txt file for twine to be able to read it. This is because one of my project is "essential" or whatever. So I must use the 2 factor authentication, which is actually needed only once, to create a global token and then can be ignored forever. I personally actually revoke the global token every time, and create a new per-project one. But I can guarantee you that 99% of people in my situation are using a global token for everything. So in the effort to improve security pypi dropped signatures, and forces people to keep the password in a .txt file. Personally I think security was not improved, and seems that the maintainers of pypi don't even realise. But that's my perception. -- Salvo Tomaselli "Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno." -- Galileo Galilei https://ltworf.codeberg.page/
Attachment:
signature.asc
Description: This is a digitally signed message part.