Today we have released the first beta of version 26.2 of the Python install manager:
Release page: Python Release Python install manager 26.2 beta 1 | Python.org
Changelog: Release 26.2b1 · python/pymanager · GitHub
The main change in this release is support for index signatures. Please read those docs for full details, but the short version is that our feeds hosted on python.org now come with a cryptographic signature from our code-signing certificate, and the updated install manager will verify that it is signed specifically by own certificate.
This should make it impossible for a server compromise to lead to our users (with default config) being delivered packages that we didn’t publish ourselves. It will also make it more obvious when a local compromise/misconfiguration is causing a user to install from a different server, at least once they are used to seeing the “successfully verified” message.
We are deliberately not making unsigned indexes appear to be invalid or insecure (at least for now), since it ought to be possible to use an unsigned index without feeling judged (and it’s a real pain to properly sign something you want to use locally). The only way in which we’ve given ourselves special privileges here is by listing our index in the default configuration file - users can override it or add their own.
Apart from the index signatures, there are a few minor bug fixes around the *w.exe launchers, but nothing else. We might add some shebang enhancements, but frankly the requests are pushing the boundary between “Python launcher” and “arbitrary tool launcher”. Happy to hear other opinions on this, but I don’t really want this to become the universal shebang-on-Windows tool (not least because it then becomes much more likely for us to be blocked on systems sensitive to attack surface area).