Please sign tarball
Closed this issue · 2 comments
I am maintaining Flask-Mail in Debian, which preferes cryptographic verification of upstream tarballs.
Please sign the source tarball on PyPI if at all possible.
Our new publish workflow generates SLSA provenance for the build and places that in the GitHub release page, as Flask and other Pallets projects do. PyPI no longer handles pgp signatures, but is currently working on their own provenance support as part of trusted publishing.
Note that this does not mean that we are tied to the GitHub platform. PyPI trusted publishing already works with multiple platforms and more are being added. SLSA provenance is not part of GitHub, nor is PyPI's own provenance support. The provenance is hosted on GitHub release pages because that is a place we can easily host it. If we moved to another source host, we would presumably build provenance and put it there instead. Sarcastically commenting about our (a group of volunteers working in our free time) use of a convenient and popular git service is not productive or appreciated, and will not help you get support.