Moving away from distutils-sig

[pradyunsg]

Our metadata still says points to distutils-sig.

The mailing list, however, has been shut down: https://mail.python.org/mailman3/lists/distutils-sig.python.org/

Should we update this, and to what?

[pradyunsg]

Should we update this, and to what?

@pypa/pip-committers This is an open question. I'm leaning toward removing this entirely. :)

[pfmoore]

Works for me. I assume you mean removing the "author email" metadata? Maybe we could add an "Issue Tracker" project URL, just to give people at least one bit of "how to contact us" metadata?

[pradyunsg]

Maybe we could add an "Issue Tracker" project URL, just to give people at least one bit of "how to contact us" metadata?

That should be getting auto-populated with PyPI's automation for this, using the Project URL that's provided with a GitHub link. If not, that's a bug on PyPI's end.

I assume you mean removing the "author email" metadata?

Yes.

[uranusjr]

Does PyPA has a email for say security sensitive reports? I remember someone asked me about it and we didn’t have something like that. Maybe we should set up something to use in most PyPA projects, and also list it on pypa.io for people for non-public reports.

[pradyunsg]

We just piggy-back off the security@python.org for this stuff right now -- https://www.python.org/dev/security/.

I think we can add a dedicated page for this to pip's documentation. Whether we want to do the same for other PyPA projects is a can of worms I'm not interested in touching.