Hello,
You have a system that is an insane overkill. I'm one guy with one computer
and no funding to do any of this.
The maintainer of pypi stated that the issue of the global token being needed
is fixed. But it is fixed IIF you upload via github's CI.
But I want to sign things and I want the pypi thing to be identical to the one
that I sign.
So some other user suggested that I should upload an easy to revoke key and
use that one to sign.
In the end pypi's security got worse because I used to type in my password to
upload, while now I am forced to keep it in a plain text .txt file for twine to
be able to read it.
This is because one of my project is "essential" or whatever. So I must use
the 2 factor authentication, which is actually needed only once, to create a
global token and then can be ignored forever.
I personally actually revoke the global token every time, and create a new
per-project one. But I can guarantee you that 99% of people in my situation
are using a global token for everything.
So in the effort to improve security pypi dropped signatures, and forces people
to keep the password in a .txt file.
Personally I think security was not improved, and seems that the maintainers
of pypi don't even realise. But that's my perception.
--
Salvo Tomaselli
"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di
senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
-- Galileo Galilei
https://ltworf.codeberg.page/Attachment:
signature.asc
Description: This is a digitally signed message part.