←back to thread

Removing PGP from PyPI (2023)

(blog.pypi.org)
61 points harporoeder | 2 comments | 17 Oct 24 20:03 UTC | HN request time: 0.469s | source
Show context
opello ◴[17 Oct 24 21:38 UTC] No.41874091[source]
Wouldn't another very good answer be for PyPI to have a keyserver and require keys be sent to it for them to be used in package publishing?
replies(2): >>41874175 #>>41874253 #
1. zitterbewegung ◴[17 Oct 24 21:50 UTC] No.41874175[source]
From here: https://caremad.io/posts/2013/07/packaging-signing-not-holy-... which is linked to the article since PyPI has so many packages and that everyone can sign up to add a package it would be extremely unmanageable.
replies(1): >>41874318 #
2. opello ◴[17 Oct 24 22:10 UTC] No.41874318[source]
That's fair and I appreciate that detail even without having followed the link in the original article. But while not being "the holy grail" why must the perfect be the enemy of the good, if it was providing a value?

I certainly allow for the "if it was providing a value" to be a gargantuan escape hatch through which any other perspective may be removed.

But by highlighting the difficulty in verifying signatures and saying it was because they keys were hard to find (or may have been expired or other signing errors per the footnote) a fairly straight forward solution presents itself: add keyserver infrastructure, check it when signed packages are posted, reject if key verification fails using that keyserver.

All told it seems like it wasn't providing a value, so throwing more resources at the effort was not done. But something about highlight how "keys being hard to find" helped justify the action doesn't quite pass muster to my mind.