sigmavirus24
commented
1 year ago Other indices? twine supports uploading to an arbitrary index; are there popular third-party indices that still support PGP signatures?
I don't know and that's the big question I have. Are other folks using other indices signing things due to some misguided understanding of what signing does for them?
Alignment with other uploading clients? I don't think Poetry ever supported PGP signatures; I'm not sure about others.
Poetry was developed long after PyPI started to elide signatures from the UI. Twine has been around longer and was a replacement for setup.py upload which had similar functionality which needed to have essentially the same functionality to get people to migrate.
Overall I'm supportive of this because every few years someone wants support for some other binary name, so I'd love to get rid of that altogether.
That said, I still don't know what we don't know (is anyone using this for anything other than PyPI) and for the people that are using it for PyPI , do they actually understand that PyPI isn't storing those signatures? I guess the first step is for twine to add a deprecation warning when that flag is used or an armor file is detected and being uploaded to PyPI.org and maybe issue a different warning for folks using a different index.
woodruffw
First of all, thank you for
twine! I'm a daily user both professionally and personally, and it's been a joy to use.This is intended to be an RFC/proposal issue for a feature removal, so I've elided some sections below where I believed them to be irrelevant. Please let me know if I re-add them.
The Issue
PyPI removed PGP support in May 2023: since then, pre-existing PGP signatures have continued to be hosted, but new signatures are silently ignored when uploaded alongside a new distribution version.
twinestill has a handful of flags and options that reflect PyPI's previous support for PGP, namely--sign,--sign-with, and--identity. These flags still take effect and perform local actions, but ultimately have no effect on the state of the package index. This in turn is a potential source of user confusion: while the index's behavior has been publicly documented, the presence of "supported" PGP/GPG flags on the uploading client side might lead them to believe that some form of PGP signature uploading is still supported or effective.The Proposal
I propose a deprecation and removal period for these flags, as well as their corresponding parts of the
twinecodebase. In particular, I propose two discrete phases: a deprecation period during which time these flags causeDeprecationWarnings (or similar), followed by a hard removal period during which thetwineCLI no longer recognizes them and exits with a failure code.The use of a deprecation period here is arguably a little funky, since the underlying behavior has already been removed on the index side. On the other hand there is probably a decent amount of CI/CD automation out there currently using these flags (effectively as no-ops), so giving them a deprecation period before making a breaking change on the
twineCLI side will help them perform a graceful migration.Other considerations
This is intended to be a non-exhaustive list:
twinesupports uploading to an arbitrary index; are there popular third-party indices that still support PGP signatures?Please let me know what you think! If this proposal seems interesting and valuable, then I'd be more than happy to do the work here.