> On Feb 22, 2015, at 6:55 PM, Nick Coghlan <ncogh...@gmail.com> wrote: > > > On 23 Feb 2015 09:50, "Ben Finney" <ben+pyt...@benfinney.id.au > <mailto:ben%2bpyt...@benfinney.id.au>> wrote: > > > > Richard Jones <rich...@python.org <mailto:rich...@python.org>> writes: > > > > > Sorry, there's no facility at present for signing a file that's already > > > uploaded. > > > > Thanks. I can now stop futilely trying to find it :-) > > Twine lets you at least separate signing from the build step, though: > https://pypi.python.org/pypi/twine <https://pypi.python.org/pypi/twine> > (Also, doesn't setup.py upload use HTTPS by default now? That part of the > twine docs may need qualification) > >
Yes and no. Some of the available Pythons have been updated to use a HTTPS connection, however they don’t verify them. Python 2.7.9 should (I believe, I haven’t actually tested this!) add verification to that. I think that Python 3.4.3 includes that as well (if 2.7.9 does then 3.2.3 should as well). That of course doesn't affect anyone using 2.6, 2.7.0-2.7.8, 3.2, 3.3, and 3.4.0-3.4.2. There's an issue here about it: https://github.com/pypa/twine/issues/93 I'm not opposed to changing the wording, but I am opposed to changing it to something that makes it sound like, in general, it's now safe to use ``setup.py upload``, because it still isn’t unless you meet certain specific criteria (specifically you only ever interact with PyPI with the latest released version of 2.7). --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
