←back to thread

Removing PGP from PyPI (2023)

(blog.pypi.org)
61 points harporoeder | 5 comments | 17 Oct 24 20:03 UTC | HN request time: 3.866s | source
Show context
politelemon ◴[17 Oct 24 21:51 UTC] No.41874187[source]
This feels like perfect being the enemy of good enough. There are examples where the system falls over but that doesn't mean that it completely negates the benefits.

It is very easy to get blinkered into thinking that the specific problems they're citing absolutely need to be solved, and quite possibly an element of trying to use that as an excuse to reduce some maintenance overhead without understanding its benefits.

replies(2): >>41874198 #>>41874289 #
1. jacques_chester ◴[17 Oct 24 22:06 UTC] No.41874289[source]
Maintaining this capability isn't free, it is of dubious benefit and there are much better alternatives.

On a cost benefit analysis this is a slam dunk.

replies(1): >>41874384 #
2. nightfly ◴[17 Oct 24 22:20 UTC] No.41874384[source]
What are these "much better alternatives"?
replies(1): >>41874419 #
3. arccy ◴[17 Oct 24 22:24 UTC] No.41874419[source]
https://www.sigstore.dev/

The emerging standard for verifying artifacts, e.g. in container image signing, npm, maven, etc

https://blog.sigstore.dev/npm-public-beta/ https://www.sonatype.com/blog/maven-central-and-sigstore

replies(1): >>41875806 #
4. binary132 ◴[18 Oct 24 02:14 UTC] No.41875806{3}[source]
Emerging standard = not yet the standard
replies(1): >>41876472 #
5. jacques_chester ◴[18 Oct 24 04:57 UTC] No.41876472{4}[source]
Nobody said it was. The point is that it's better.