Unverified tags for recent pip releases?

A random data point: our IT department had security-related worries about upgrading to pip >= 21.3 because the two most recent tags (for 21.3 and 21.3.1) currently have a “Unverified” label next to them at Tags · pypa/pip · GitHub, while older tags don’t have that label. I’ve pointed out that this is no different to many other open source projects that we currently use (where the tags are equally unverified, but that fact isn’t labelled) and that the “Unverified” label is mostly harmless, and I think it’s all sorted now for us. But there are understandably a lot of security-related jitters right now and I suspect that ours won’t be the last IT department to have those worries. Would it be worth either adding signatures for those tags (not sure whether that’s possible for existing tags), or removing the setting that causes those “Unverified” labels to appear?

Thanks for raising! Looks like this is due to @pradyunsg signing his commits, but not his tags. I created https://github.com/pypa/pip/pull/10803 to introduce tag signing into the release process.

6 Likes

I’ve unticked the relevant checkbox for now, and don’t see unverified anymore.

1 Like

Thank you!