Closed Flimm closed 2 months ago
Yes, it's the same project. The readme is rendered in multiple places, including PyPI where a link to PyPI wouldn't make sense. You can see in PyPI that the project is part of the Pallets org, and you can find various links and mentions on our website and docs. In GitHub's interface, you can also find a link in recent releases, as well as in recent deployment runs. PyPI is also working on a broader system to attest the source of an upload, which we'll use when it's available.
Thank you for taking the time to explain the reasoning.
The README.md file does not mention or link to any PyPI project, so it is not clear if this GitHub repo is published on PyPI or not.
I found https://pypi.org/project/Werkzeug/ on PyPI, which links to this GitHub repo. However, this could have been uploaded to PyPI by anybody. PyPI does not perform any verification, the only way to check that the same person is behind both the GitHub repo and the PyPI project is to check manually that they link to each other. Right now, the PyPI project links to the GitHub repo, but not the other way around.
In the linked documentation, I found this instruction:
That does confirm the association to the PyPI project, but I would prefer it if there was a link or a mention of the PyPI project in the README.md file itself. Checking that the PyPI project and the GitHub repo link to each other is one of the first things I do when looking at a project, so it would be helpful for that reason. This is just a suggestion.