It seems we'll have a lot of "fun" with the #PyPi decision to remove signatures for sdist tarballs (https://blog.pypi.org/posts/2023-05-23-removing-pgp/) going forward.

To scream into the void: Yes, PyPi, someone was using those signatures. Distro package maintainers secured user supply chains with it!

I'm not looking forward to asking dozens of upstreams to host their signatures elsewhere (just stumbled across one case). Meanwhile reproducibility is now broken for those packages.

#ArchLinux #packagerlife #Python

Removing PGP from PyPI - The Python Package Index

PyPI has removed support for uploading PGP signatures with new releases.

^{blog.pypi.org}