On 03/31/2018 06:26 PM, Dominik George wrote: > Hi, > > On Sat, Mar 31, 2018 at 06:16:51PM -0400, Sumana Harihareswara wrote: >> The new Python Package Index at https://pypi.org is now in beta. > > Yep! > > I read that the new Warehouse does not offer GPG signature files for > download. > > Why not? How can I still get them (append .asc to the source downlaod?), > and how do I find out whether an upload is signed? > > I am asking mainly as a Debian developer relying on upstream signatures. > > -nik
Thanks for your question, Nik. Once the legacy site shuts down, GPG/PGP signatures for packages will no longer be visible in PyPI's web UI. But signatures still appear in the Simple Project API https://warehouse.readthedocs.io/api-reference/legacy/#simple-project-api per PEP 503 https://www.python.org/dev/peps/pep-0503/ . Donald Stufft, who started Warehouse and is one of its core maintainers, has made no secret of his opinion that "package signing is not the Holy Grail" https://caremad.io/posts/2013/07/packaging-signing-not-holy-grail/ , and current discussion on the distutils-sig mailing list leans towards further removing signing features from another part of the Python packaging ecology (the wheel library) https://mail.python.org/pipermail/distutils-sig/2018-March/032066.html . There's other relevant discussion in https://mail.python.org/pipermail/distutils-sig/2016-May/028933.html and https://github.com/pypa/warehouse/issues/1439 and I believe https://github.com/pypa/warehouse/pull/2172 . This is a policy discussion that probably belongs on distutils-sig and/or in the "packaging problems" issues repository, like in https://github.com/pypa/packaging-problems/issues/15 . The people working on Python packaging and distribution tools want to hear from you and figure out a way forward that works for everyone, if possible. I've been trying to reach out to the Debian Python community via IRC, personal connections, tickets, and mailing lists to ensure a smooth transition; I see now that a post I tried to get onto the debian-python list a few weeks ago did not get posted there, so I've re-sent it. I'm sorry that this is (I infer) the first you're hearing about this change. -- Sumana Harihareswara Warehouse project manager Changeset Consulting https://changeset.nyc -- https://mail.python.org/mailman/listinfo/python-list