The review feedback was positive and focused on simplifying how user-provided metadata is collected, sent, and signed during package publishing. Given the feedback, the proposal was amended so that user-provided metadata.json became optional, and is always signed when present. It also meant that the proposed
sign command became redundant given the
publish --dry-run command has the same effect and it was removed from the proposal. Another small amendment was in how the signing certificate chain is passed to accommodate the behavior of the underlying certificate parsing libraries.
With these modifications, the core team accepted the proposal.
Thank you to the proposal authors and everyone who participated in the review.