Arch Linux

Since PyPI first deprecated the use of OpenPGP signatures [1] and then broke downloading existing signature files via predictable URLs(!), the reproducibility of some packages [2] is now broken because of that.

To ensure the continued chain of trust as well as the reproducibility of packages, please get in touch with the affected upstreams and ask for signature files for existing (if feasible/relevant) and upcoming releases to be provided elsewhere (e.g. their own project space at their respective source forge).

If a request for signature files fails, non-predictable PyPI URLs can be used. For example: https://files.pythonhosted.org/packages/1d/c7/28220d37e041fe1df03e857fe48f768dcd30cd151480bf6f00da8713214a/py-ubjson-0.16.1.tar.gz.asc.

Rebuilds go straight to the stable repositories.

[1] https://blog.pypi.org/posts/2023-05-23-removing-pgp/
[2] https://gitlab.archlinux.org/search?group_id=11323&nav_source=navbar&scope=blobs&search=%22pythonhosted%22+%2B+%28%22.asc%22+%7C+%22.sig%22%29+filename%3A*PKGBUILD