Closed dvzrv closed 1 year ago
Kwpolska
commented
1 year ago Ugh, the PyPA folks really love making people’s lives worse.
I uploaded 8.2.4’s assets and signatures to GitHub: https://github.com/getnikola/nikola/releases/tag/v8.2.4
I’ll update our release procedure to do the same for future releases.
dvzrv
commented
1 year ago I uploaded 8.2.4’s assets and signatures to GitHub: https://github.com/getnikola/nikola/releases/tag/v8.2.4
I’ll update our release procedure to do the same for future releases.
Thank you! Much appreciated :heart:
Requested Feature: Since PyPI does not support (and outright removed existing) OpenPGP signatures on the platform, downstream reproducibility is now broken (see https://archlinux.org/todo/fix-reproducibility-of-packages-broken-by-pypi-removing-signature-files/) Hence, it would be great if you could add an OpenPGP signature (using the same key as before) for the auto-generated source tarball.
Related Area: release
Do you want to contribute this yourself as a pull request? (don’t worry about it if you don’t want to/can’t — someone else can take care of it)
Does this feature affect backwards compatibility? If yes, in what way?
Currently, reproducibility for all releases is broken if downstreams relied upon a signature file from PyPI.
Rationale and full description: (why should it be added to Nikola?)
This ensures the continued trust path of the releases and fixes reproducibility for downstreams.