Hi, Quoting Simon Josefsson (2026-02-11 20:52:04) > Jochen Sprickerhof <[email protected]> writes: > > > Python Team: > > > > "DPT requires a pristine-tar branch" > > > > https://salsa.debian.org/python-team/tools/python-modules/blob/master/policy.rst > > The Python Team's Policy insistance on use of pristine-tar and throwing > away upstream git history is [1]: > > DPT requires a pristine-tar branch, and only upstream tarballs can be > used to advance the upstream branch. Complete upstream Git history > should be avoided in the upstream branch. > > The pypi.debian.net man-in-the-middle upstream tarball redirector is the > recommended (?) debian/watch URL to use for Python packages [2]. > > I find this combination really odd. It is a great setup to enable > xz-style attacks: (several) trusted indirections and lack of audit-chain > between the source code consumed by Debian and the source code from the > upstream maintainer git repository. > > Debian is using Python sources from pypi.debian.net, which may or may > not be the actual pypi.org tarball, which may or may not be the source code > coming from each upstream's actual source repository.
I am upstream of some Python modules and have a bad feeling about using pypi since I got this email from them in October 2023: > Subject: [PyPI] Unsupported GPG signature uploaded to PyPI > > # What? > During your recent upload of img2pdf to PyPI, we noticed you uploaded a GPG > signature. However, support for GPG signatures has been removed from PyPI. > # What should I do? > While uploads will continue to work, any signatures uploaded to PyPI will be > discarded. It is recommended to no longer upload signatures to PyPI. > I have a bad feeling about a service which actively removed support for attaching a cryptographic signature to my upload. I have since dropped pypi as the source of my Debian Python packages and use my upstream git repo with signed tags instead. Thanks! cheers, josch
signature.asc
Description: signature
