fundable-packaging-improvements
fundable-packaging-improvements copied to clipboard
psf
Packaging improvements that could be funded
**What is the current situation/context?** PEPs 643 and 658 have been agreed but are not yet implemented in key projects. **What ought to be fixed, made, or implemented?** Implementing these...
Background: https://github.com/pypa/packaging-problems/issues/25 Create a generic wheel-building service to make releases faster and more robust.
This proposal was motivated by the [recent discourse thread](https://discuss.python.org/t/updating-fundable-packaging-projects/16566/4) **What is the current situation/context?** Currently the combination of setuptools/wheel does not support reproducible builds completely. This makes some kinds of...
`pip` currently uses `requirements.txt` to specify dependencies; it can specify __versions__ of packages but not __hashes__. The [newer pipfile format](https://github.com/pypa/pipfile) can include hashes, which some users prefer. But `pip` [doesn't...
I was about to ask for funding to get myself deep into https://github.com/pypa/warehouse/issues/8254 and then realized that https://github.com/psf/fundable-packaging-improvements/blob/master/FUNDABLES.md is not something PSF has funds for, but instead it is something...
Since anyone can upload a package to PyPI, malicious users might upload malware, which would then harm users. To mitigate this risk, PSF [previously obtained funding](https://github.com/python/request-for/blob/master/2019-Q4-PyPI/RFP.md) to add some malware...
To keep PyPI's users secure, we want to give them [an opt-in communication channel to hear about security vulnerabilities for the packages they use](https://github.com/pypa/warehouse/issues/798). Implementing this would also give us...
To scale up our anti-abuse moderation and help package maintainers with security response, we need to be able to, for instance, mark a release as deprecated or a project as...
Right now, there are ways for package maintainers to test and share draft versions of their upcoming releases, but they cause friction and confusion. So we want to add [staged...
Our packaging ecosystem relies on [a particular structured data format (classifiers)](https://pypi.org/classifiers/) to indicate a package's legal license. However, our current system [allows for ambiguity that makes some downstream data display...