iSharkFly-Open
/
python-peps
mirror of https://github.com/python/peps.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

PEP 101: Add information on Sigstore (#3085) 

Co-authored-by: C.A.M. Gerlach <CAM.Gerlach@Gerlach.CAM>
This commit is contained in:
Łukasz Langa 2023-04-07 23:27:47 +02:00 committed by GitHub
parent 2ad19ddeb0
commit c607a47b45
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
pep-0101.txt
View File

@ -78,6 +78,11 @@ Here's a hopefully-complete list.
* A subscription to the super secret release manager mailing list, which may
or may not be called ``python-cabal``. Bug Barry about this.
* A ``@python.org`` email address that you will use to sign your releases
with. Ask ``postmaster@`` for an address; you can either get a full
account, or a redirecting alias + SMTP credentials to send email from
this address that looks legit to major email providers.
Types of Releases
=================
@ -121,9 +126,10 @@ release. The roles and their current experts are:
* RM = Release Manager
- Łukasz Langa <lukasz@python.org> (Central Europe)
- Ned Deily <nad@python.org> (US)
- Thomas Wouters <thomas@python.org> (NL)
- Pablo Galindo Salgado <pablogsal@python.org> (UK)
- Łukasz Langa <lukasz@python.org> (PL)
- Ned Deily <nad@python.org> (US)
* WE = Windows - Steve Dower <steve.dower@python.org>
* ME = Mac - Ned Deily <nad@python.org> (US)
@ -321,6 +327,10 @@ to perform some manual editing steps.
tarballs and signatures in a subdirectory called ``X.Y.ZaN/src``, and the
built docs in ``X.Y.ZaN/docs`` (for **final** releases).
Note that the script will sign your release with Sigstore. Please use
your **@python.org** email address for this. See here for more information:
https://www.python.org/download/sigstore/.
- Now you want to perform the very important step of checking the
tarball you just created, to make sure a completely clean,
virgin build passes the regression test. Here are the best
@ -689,6 +699,11 @@ with RevSys.)
(It's best to update add-to-pydotorg.py when file types
are removed, too.)
The script will also sign any remaining files that were not
signed with Sigstore until this point. Again, if this happens,
do use your @python.org address for this process. More info:
https://www.python.org/download/sigstore/
- In case the CDN already cached a version of the Downloads page
without the files present, you can invalidate the cache using::