* Ian Cordasco <graffatcolmin...@gmail.com>, 2017-03-11, 20:26:
What prospects are there for PyPI to have GnuPG-signed packages by default?
Could you clarify what do you mean by "by default"? Do you mean that people who want to upload unsigned packages would have to jump through extra hoops, or something else?
Debian's UScan has the ability to find, download, and verify the GnuPG signature for a package source release.
FWIW, it's not only Debian. OpenSUSE and Arch (and hopefully all other major distros) have tools to automatically verify upstream OpenPGP signatures, too.
-- Jakub Wilk _______________________________________________ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
