PyPI Security

Reporting

If you have a query or report to make regarding security please contact Richard Jones and/or Martin von Löwis. Both have GPG keys on key servers like pgp.mit.edu.

Richard's GPG key has key id 41C6E930 (full fingerprint 0145 FD2B 52E8 0A8E 329A 16C7 AC68 AC04 41C6 E930) and his email address is richard@mechanicalcat.net

Martin's GPG key has key id 7D9DC8D2 (full fingerprint CBC5 4797 8A39 64D1 4B9A B36A 6AF0 53F0 7D9D C8D2) and his email address is martin@v.loewis.de

You may also report issues in the PyPI bug tracker where reports may be made private.

Your Security

You may sign your uploads with GPG using the "--sign" argument to "python setup.py upload".

Additionally you may avoid using the default HTTP authentication used on the site and instead upload using ssh.

The MD5 hash provided with files on PyPI exists only to provide some download corruption protection. It is not intended to provide any sort of security regarding tampering. Please use GPG signing for that.