What replaces gpg for ensuring integrity of the uploaded code? Scott K
On April 1, 2018 2:15:54 AM UTC, Sumana Harihareswara <s...@changeset.nyc> wrote: >Debian-Python experts, > >I'm writing to you in hopes you will forward this to the right places, >and file relevant bugs against uscan/watch, which I don't quite >understand enough to do myself. And if you want to follow up on >https://github.com/pypa/warehouse/issues/358#issuecomment-337233792 and >file a new issue asking for us to support your redirector more cleanly, >I'd welcome that. > >I'm the project manager for the new Python Package Index (Warehouse), >which is currently in beta at http://pypi.org/ . On the Warehouse >roadmap[1], it looks like the full switch will happen sometime >in April, so here's a heads-up about why we're switching, what's >changed, and what to expect. (Much of it won't be directly important to >you, but I figure you might want to know anyway!) > >The legacy PyPI site at https://pypi.python.org started in the early >2000s. In recent years, users faced outages, malicious packages, and >spam attacks, and the legacy codebase made it hard to maintain and even >harder to develop new features. > >The new PyPI has a far more modern look, and is up-to-date under the >hood as well; a proper web framework (Pyramid), 100% backend test >coverage, and a Docker-based development environment, make it easier >for >current and new developers to maintain it and add features. > >Thanks to Mozilla's Open Source Support funding[2], developers have >added many new features, overhauled infrastructure, and made steady >progress towards redirecting traffic to the new site and shutting down >the old one. As of the middle of last year, package releases must go >through the new PyPI, and as of late February, new user account >registration is only available on the new site. The full switch will >include redirecting browser and pip install traffic from the old site; >then, sometime in late April or early May, the legacy site will be >entirely shut down. > >Thanks to redirects, you may not have to change anything immediately. >Here's a migration guide.[3] > > >Some new PyPI features: > * mobile-responsive UI > * chronological release history for each project (example[4]) > * easy-to-read project activity journal for project maintainers > * better search and filtering > * support for multiple project URLs (e.g., for a homepage and a > repo[5]) > * user-visible Gravatars and email addresses for maintainers > * no need to "register" a project before initial upload > * far better backend infrastructure, reducing the frequency of outages > > >Things that are going away, or already have (sometimes for policy or >spam-fighting reasons), include: > * pythonhosted.com documentation hosting (pypa/warehouse#582[6]) > * download counts visible in the API[7] (instead, use the Google > BigQuery service[8]) > * GPG/PGP signatures for packages (still visible in the Simple Project > API[9] per PEP 503[10], but no longer visible in the web UI >* key management: PyPI no longer has a UI for users to manage their GPG > or SSH public keys >* package maintainers being able to upload a new release via the web UI > (instead, the recommended command-line tool is Twine[11]) > * package maintainers being able to log in and update release > descriptions via the web UI (to update release metadata, they need to > upload a new release; see distutils-sig discussion[12]) > * OpenID and Google auth login[13] > * users being able to upload a package without verifying their email > address with PyPI first > * HTTP access to APIs; now it's HTTPS-only[14] > > >And in the works: > * PEP 541[15] will enable more timely package takeovers, as people get > package names transferred to them after conflict resolution > * Now that PEP 566 has been approved, developers are working to get > Markdown supported for README files on PyPI[16] > > >For future updates, please sign up for the low-traffic PyPI >announcements email list[17]. > >Thank you for integrating with PyPI, and please let us know[18] if you >have any questions or problems with the new site! >-- >Sumana Harihareswara >Changeset Consulting >https://changeset.nyc > > >Links: > > 1. https://wiki.python.org/psf/WarehouseRoadmap > 2. >https://pyfound.blogspot.com/2017/11/the-psf-awarded-moss-grant-pypi.html > 3. >https://warehouse.readthedocs.io/api-reference/integration-guide/#migrating-to-the-new-pypi > 4. https://pypi.org/project/pip/#history > 5. >https://packaging.python.org/tutorials/distributing-packages/#project-urls > 6. https://github.com/pypa/warehouse/issues/582 > 7. >https://warehouse.readthedocs.io/api-reference/xml-rpc/#changes-to-legacy-api >8. >https://packaging.python.org/guides/analyzing-pypi-package-downloads/ > 9. >https://warehouse.readthedocs.io/api-reference/legacy/#simple-project-api > 10. https://www.python.org/dev/peps/pep-0503/ > 11. http://twine.readthedocs.io/ > 12. >https://mail.python.org/pipermail/distutils-sig/2017-December/031826.html > 13. >https://mail.python.org/pipermail/distutils-sig/2018-January/031855.html > 14. >https://mail.python.org/pipermail/distutils-sig/2017-October/031712.html > 15. https://www.python.org/dev/peps/pep-0541/ >16. https://github.com/pypa/warehouse/issues/869#issuecomment-340928703 >17. >https://mail.python.org/mm3/mailman3/lists/pypi-announce.python.org/ > 18. https://github.com/pypa/warehouse/issues/new
