|
|
|
|
|
|
by jwilk
2958 days ago
|
|
|
I only sign git tags and releases.
I don't sign git commits, because it's supper annoying, especially when rebasing large number of commits. Package signing and verification works for distros, because significant effort is spent on curating keyrings of trusted keys. (And even that isn't foolproof! See https://bugs.debian.org/842939 for the latest example.) It's not clear how automatic signature verification could work for pip. Who's going to decide which keys are trusted? |
|
|