[djsumdog]

So I know rpms and debs are signed, as I've setup repos for both. Docker repositories require a valid SSL key (or you have to manually allow untrusted repos). But do Python packages and Ruby gems have signature verification? How does pypy/pip and gem deal with validating a package is what it claims to be?

[ek750]

Ruby gems can be signed but the percentage of gems authors taking advantage of that is low.

At least we’ve got most people using https to transfer gems now!

[cpburns2009]

PyPI (which is what Pip uses) at the very least does not require authors to sign their packages. I can't say whether it supports signing though.

[viraptor]

Traditional python packages support GPG signing: https://pypi.python.org/security

There's new experimental signing in wheels: https://wheel.readthedocs.io/en/stable/#automatically-sign-w...

and the signing defined in PEP: https://www.python.org/dev/peps/pep-0427/#signed-wheel-files