I'm not sure what this has to do with anything. Yes, you may sign your uploads. Nobody verifies them on download.
Since you seem to be a fan of Google, try Googling 'pip signature verification' and reading the results. Here's one place to start: https://github.com/pypa/twine/issues/157
> Really? So how do you install Babel the first time in order to shrinkwrap it?
The same way you install anything else from any other ecosystem? The packages have to be up and online when you initially retrieve them, yes. I have no idea how you think that's NPM-specific. If you would like to download some code, you have to have somewhere to download it from.
I'm not sure what this has to do with anything. Yes, you may sign your uploads. Nobody verifies them on download.
Since you seem to be a fan of Google, try Googling 'pip signature verification' and reading the results. Here's one place to start: https://github.com/pypa/twine/issues/157
> Really? So how do you install Babel the first time in order to shrinkwrap it?
The same way you install anything else from any other ecosystem? The packages have to be up and online when you initially retrieve them, yes. I have no idea how you think that's NPM-specific. If you would like to download some code, you have to have somewhere to download it from.