On Sun, 2025-08-24 at 15:32 -0400, Eli Schwartz wrote: > On 8/24/25 3:12 PM, Michał Górny wrote: > > Hi, > > > > Here's a patchset that introduces provenance verification (i.e. > > verify-sig equivalent) for pypi.eclass. > > > I strongly believe this should *not* be merged. > > There are a couple reasons why I don't think this is beneficial and > would strongly push back against implementing it in any package I > maintain (even if the relevant files are uploaded to PyPI). But the main > issue is the one you said already in IRC: > > "yes, it worked. yes, it's all theater" > > I am opposed to implementing anything which even the author thinks is > useless.
My personal opinion about this or about using GitHub doesn't change the fact that it's the official upstream recommendation. The flags aren't intended to be used by users, users have Manifests. They are helpful for developers to double-check that the artifacts aren't compromised (or more likely, that "something went wrong"). -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part
