Your cynicism isn't warranted: we've made significant improvements to PyPI over the last 4 years[1][2], and I'm currently working on additional features that will make secure publishing to PyPI easier[3]. We're also working on a codesigning implementation for PyPI, based on Sigstore[4].
Security needs to be evidence and outcome-driven, first and foremost. That takes a while, but improved outcomes make it worth it.
> That takes a while, but improved outcomes make it worth it.
meanwhile the integrity of the supply chain continues to be compromised
> Your cynicism isn't warranted
it is: the python packaging situation is worse today than it was when I started writing Python in 2005
the legions of meetings, grandiose titles, conferences and mountains of unreadable proposals have produced tooling that is objectively worse than what Maven offered close to two decades ago
In 2005, PyPI didn’t even host packages. It was an index that pointed you to the HTTP-only host that served the distribution. As far as I know, even basic hash checking wasn’t added until a decade later.
I have no opinions about titles, etc. But saying that Python packaging was better in 2005 is incorrect along all axes.