On Mar 12, 2017, at 11:46 AM, Ben Finney wrote: >What prospect is there in the Python community to get signed upstream >releases become the obvious norm?
I don't know. Digital security seems to be mostly an afterthought unfortunately. I always use `twine upload --sign` so all my projects have signatures, and for those where I'm also the Debian maintainer or primary uploader, I try to enable signatures for uscan, but it seems oddly self-serving. ;) -Barry
