Ben Finney <bign...@debian.org> writes: > However, this only works if upstream releases are actually accompanied > by a valid GnuPG signature each time. The PyPI infrastructure supports > this; why isn't it more widely encouraged?
One reason I have found for myself: I can forget to sign the package when uploading to PyPI, and PyPI doesn't let you make any changes after the package is uploaded without changing the version (including adding signature file). There is a long running bug report on this, it is not going to get fixed (TLDR it is not a bug, it is a design feature to allow for caching). Maybe there is some way of turning signatures on by default, so I don't have to remember for every upload, if so, I haven't been able to work it out yet however. -- Brian May <b...@debian.org>