Re: GnuPG signatures on PyPI: why so few?

To: debian-python@lists.debian.org
Subject: Re: GnuPG signatures on PyPI: why so few?
From: Barry Warsaw <barry@debian.org>
Date: Mon, 13 Mar 2017 12:01:15 -0400
Message-id: <[🔎] 20170313120115.027de7c6@subdivisions.wooz.org>
In-reply-to: <[🔎] 85r323gw48.fsf@benfinney.id.au>
References: <[🔎] 85r323gw48.fsf@benfinney.id.au>

On Mar 12, 2017, at 11:46 AM, Ben Finney wrote:

>What prospect is there in the Python community to get signed upstream
>releases become the obvious norm?

I don't know.  Digital security seems to be mostly an afterthought
unfortunately.  I always use `twine upload --sign` so all my projects have
signatures, and for those where I'm also the Debian maintainer or primary
uploader, I try to enable signatures for uscan, but it seems oddly
self-serving. ;)

-Barry

Reply to:

References:
- GnuPG signatures on PyPI: why so few?
  - From: Ben Finney <bignose@debian.org>

Prev by Date: Re: GnuPG signatures on PyPI: why so few?
Next by Date: Re: PyPI source or github source?
Previous by thread: Re: GnuPG signatures on PyPI: why so few?
Next by thread: Updating Celery, Kombu, python-amqp
Index(es):
- Date
- Thread