I built trustcheck, a Python CLI that evaluates the trust posture of a PyPI release before it is installed, promoted or approved. trustcheck is currently in BETA and I am looking for real-world testing and feedback to help move it toward production-grade stability. If you are working with PyPI packages, supply-chain security or CI pipelines, I would really appreciate you trying it out and sharing your experience.

Due to the limitations of the dependencies used, this package "trustcheck" can work only on standard python environments like Linux, Windows and MacOS. Android-Termux is not supported. When the dependency "cryptography" adds Termux support, trustcheck can work on that environment too.

Interesting. You might also consider posting about it on the main Python forum in the Packaging section, at https://discuss.python.org/c/packaging/14 .

[dead]