> On Feb 22, 2015, at 6:55 PM, Nick Coghlan <[email protected]> wrote: > > > On 23 Feb 2015 09:50, "Ben Finney" <[email protected] > <mailto:ben%[email protected]>> wrote: > > > > Richard Jones <[email protected] <mailto:[email protected]>> writes: > > > > > Sorry, there's no facility at present for signing a file that's already > > > uploaded. > > > > Thanks. I can now stop futilely trying to find it :-) > > Twine lets you at least separate signing from the build step, though: > https://pypi.python.org/pypi/twine <https://pypi.python.org/pypi/twine> > (Also, doesn't setup.py upload use HTTPS by default now? That part of the > twine docs may need qualification) > >
Yes and no. Some of the available Pythons have been updated to use a HTTPS connection, however they don’t verify them. Python 2.7.9 should (I believe, I haven’t actually tested this!) add verification to that. I think that Python 3.4.3 includes that as well (if 2.7.9 does then 3.2.3 should as well). That of course doesn't affect anyone using 2.6, 2.7.0-2.7.8, 3.2, 3.3, and 3.4.0-3.4.2. There's an issue here about it: https://github.com/pypa/twine/issues/93 I'm not opposed to changing the wording, but I am opposed to changing it to something that makes it sound like, in general, it's now safe to use ``setup.py upload``, because it still isn’t unless you meet certain specific criteria (specifically you only ever interact with PyPI with the latest released version of 2.7). --- Donald Stufft PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Distutils-SIG maillist - [email protected] https://mail.python.org/mailman/listinfo/distutils-sig
