Release artifacts missing for 0.3.0
Bug #2028762 reported by
David Runge
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lazr.config |
New
|
Undecided
|
Unassigned |
Bug Description
Hi! I package this project for Arch Linux.
The current release on PyPI is 0.3.0, which unfortunately has no respective artifacts on launchpad.
Could you please add them?
Also, since PyPI just silently removed the OpenPGP signature files for existing releases, they broke our reproducibility and trust path [1].
Can you therefore please also attach a signature file for a release tarball, signed by either AC0A4FF12611B6F
This would allow us to use launchpad as trusted upstream going forward.
Thank you! :)
[1] https:/
To post a comment you must log in.
Hey David,
We quickly discussed this issue in our team.
PyPI is the de-facto publishing platform for Python packages.
While we have published releases in the past also here on Launchpad, we are strongly considering to stop that.
I do understand that your workflow is built on signatures, but PyPI has stopped supporting them for reasons as announced in https:/ /blog.pypi. org/posts/ 2023-05- 23-removing- pgp/, also outlined in https:/ /blog.yossarian .net/2023/ 05/21/PGP- signatures- on-PyPI- worse-than- useless
I assume that you have a workflow set up which also would work without signatures.
If you have ideas how to improve the security aspect for PyPI, please reach out to Seth, who is the new security developer in residence (https:/ /sethmlarson. dev/security- developer- in-residence).
Jürgen Gmach
Launchpad team