On 14 March 2017 at 03:46, Steve Dower <steve.do...@python.org> wrote:
> Another drive-by contribution: what if twine printed the hashes for
> anything it uploads with a message basically saying "here are the things
> you should publish somewhere for this release so people can check the
> validity of your packages after they download them"?
>
> I suspect many publishers have never considered this is something they
> could or should do. Some very basic prompting could easily lead to it
> becoming part of the normal workflow.
>
Huh, and with most PyPI publishers using public version control systems,
their source control repo itself could even serve as "a trusted channel
that they control and the PyPI service can't influence". For example, the
artifact hashes could be written out by default to:
.released_artifacts/<version>/<artifact_name>.sha256
And if twine sees the hash file exists before it starts the upload, it
could complain that the given artifact had already been published even
before PyPI complains about it.
Cheers,
Nick.
--
Nick Coghlan | ncogh...@gmail.com | Brisbane, Australia
_______________________________________________
Distutils-SIG maillist - Distutils-SIG@python.org
https://mail.python.org/mailman/listinfo/distutils-sig
