We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Requested Feature: Since PyPI does not support (and outright removed existing) OpenPGP signatures on the platform, downstream reproducibility is now broken (see https://archlinux.org/todo/fix-reproducibility-of-packages-broken-by-pypi-removing-signature-files/) Hence, it would be great if you could add an OpenPGP signature (using the same key as before) for the auto-generated source tarball.
Related Area: release
Do you want to contribute this yourself as a pull request? (don’t worry about it if you don’t want to/can’t — someone else can take care of it)
Does this feature affect backwards compatibility? If yes, in what way?
Currently, reproducibility for all releases is broken if downstreams relied upon a signature file from PyPI.
Rationale and full description: (why should it be added to Nikola?)
This ensures the continued trust path of the releases and fixes reproducibility for downstreams.
The text was updated successfully, but these errors were encountered:
Ugh, the PyPA folks really love making people’s lives worse.
I uploaded 8.2.4’s assets and signatures to GitHub: https://github.com/getnikola/nikola/releases/tag/v8.2.4
I’ll update our release procedure to do the same for future releases.
Sorry, something went wrong.
e019118
I uploaded 8.2.4’s assets and signatures to GitHub: https://github.com/getnikola/nikola/releases/tag/v8.2.4 I’ll update our release procedure to do the same for future releases.
Thank you! Much appreciated ❤️
Kwpolska
No branches or pull requests
Requested Feature: Since PyPI does not support (and outright removed existing) OpenPGP signatures on the platform, downstream reproducibility is now broken (see https://archlinux.org/todo/fix-reproducibility-of-packages-broken-by-pypi-removing-signature-files/)
Hence, it would be great if you could add an OpenPGP signature (using the same key as before) for the auto-generated source tarball.
Related Area: release
Do you want to contribute this yourself as a pull request? (don’t worry about it if you don’t want to/can’t — someone else can take care of it)
Does this feature affect backwards compatibility? If yes, in what way?
Currently, reproducibility for all releases is broken if downstreams relied upon a signature file from PyPI.
Rationale and full description: (why should it be added to Nikola?)
This ensures the continued trust path of the releases and fixes reproducibility for downstreams.
The text was updated successfully, but these errors were encountered: