Comment 1 for bug 2028762

Hey David,

We quickly discussed this issue in our team.

PyPI is the de-facto publishing platform for Python packages.

While we have published releases in the past also here on Launchpad, we are strongly considering to stop that.

I do understand that your workflow is built on signatures, but PyPI has stopped supporting them for reasons as announced in https://blog.pypi.org/posts/2023-05-23-removing-pgp/, also outlined in https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI-worse-than-useless

I assume that you have a workflow set up which also would work without signatures.

If you have ideas how to improve the security aspect for PyPI, please reach out to Seth, who is the new security developer in residence (https://sethmlarson.dev/security-developer-in-residence).

Jürgen Gmach
Launchpad team