Testing Site Testing Site

skip to navigation
skip to content

PyPI Security

Reporting

If you have a query or report to make regarding security please contact Donald Stufft, Ernest W. Durbin III, or Richard Jones. All have GPG keys on key servers like pgp.mit.edu.

Donald's GPG key has key id 0x6E3CBCE93372DCFA (full fingerprint 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA) and his email address is donald@python.org

Ernest's GPG key has key id 0x88159C24830F6F7E (full fingerprint 11CD 3DD9 8D7E 61C7 6D1A 3224 8815 9C24 830F 6F7E) and his email address is ernest@python.org

Richard's GPG key has key id 0xAC68AC0441C6E930 (full fingerprint 0145 FD2B 52E8 0A8E 329A 16C7 AC68 AC04 41C6 E930) and his email address is richard@python.org

You may also report issues in the PyPI bug tracker where reports may be made private.

Your Security

You may sign your uploads with GPG using the "--sign" argument to "python setup.py upload".

Additionally you may avoid using the default HTTP authentication used on the site and instead upload using ssh.

The MD5 hash provided with files on PyPI exists only to provide some download corruption protection. It is not intended to provide any sort of security regarding tampering. Please use GPG signing for that.