Re: PyPI source or github source?

[Paul Wise <pabs@debian.org>]

On Sun, Mar 12, 2017 at 10:19 AM, Brian May wrote:

> Sure, you could argue that PyPI source packages should contain
> everything the github package does. In fact there is a PyPI tool to help
> get the MANIFEST.in correct for such purposes -
> https://pypi.python.org/pypi/check-manifest

Anyone interested in packaging this?

> Unfortunately, github releases cannot (AFAIK) easily be signed, unless
> you retrieve signed git tags directly from git (which is not supported
> by uscan AFAIK). Would be good if gbp buildpackage supported signing git
> tags, I don't think it does either.

uscan does support git but doesn't check OpenPGP signatures on tags.
It would probably be easy to add that, please file a bug about it.

> * Do we consider signed git tags / commits secure, considering they are
>   based on SHA1?

Better than having unsigned tags/commits.

> * Is there any point having signed PyPI releases when (very likely) the
>   underlying upstream git repository has no signatures?

Yes, presumably the PyPI releases are built from the author's copy of
the git repository, rather than directly from the online repository,
hopefully they have verified all commits they pulled into it.

> * Is there any point having signed PyPI releases when (very likely) the
>   public key is stored in an insecure DPMT respository on
>   git.debian.org?

Yes, it is also stored in immutable places like the archive and snapshot.d.o.

-- 
bye,
pabs

https://wiki.debian.org/PaulWise