←back to thread

Removing PGP from PyPI (2023)

(blog.pypi.org)
61 points harporoeder | 1 comments | 17 Oct 24 20:03 UTC | HN request time: 0s | source
Show context
opello ◴[17 Oct 24 21:38 UTC] No.41874091[source]
Wouldn't another very good answer be for PyPI to have a keyserver and require keys be sent to it for them to be used in package publishing?
replies(2): >>41874175 #>>41874253 #
wnissen ◴[17 Oct 24 21:59 UTC] No.41874253[source]
Wouldn't that make the maintenance burden worse? Now PyPI has to host a keyserver, with its own attack service. And presumably 99.7% of the keys would be only for PyPI, so folks would have no incentive to secure them. The two modes that work are either no signing, or mandatory signing like many app stores. Obviously the middle way is the worst of both worlds, no security for 99+% of packages, but all the maintenance headache. And mandatory signing raises the possibility that PyPI would be replaced by an alternate repository that's easier to contribute to. The open source world depends to a shocking degree on the volunteer labor of people who have a lot of things they could be doing with their time, and a "small" speed bump for enhanced security can have knock-on effects that are not small.
replies(1): >>41874364 #
1. opello ◴[17 Oct 24 22:17 UTC] No.41874364[source]
Sure, it all hinges on whether the signatures provided any value. And it seems to be the conclusion that it didn't.

Without something showing "keyservers present an untenable risk" and Debian, Ubuntu, Launchpad, others have keyserver infrastructure, it seems like too far of a conclusion to reach casually. But of course, it adds attack surface for the simple fact that a public facing thing was stood up where once it was not. Though that isn't the kind of trivial conclusion I imagine you had in mind.

I don't see why there's a binary choice between "signing is no longer supported" and "signing is mandatory" when before that wasn't the case. If it truly provided no value, or so small a value with so high a maintenance burden that it harmed the project that way, then it makes sense--but that didn't seem to be the place from which the article argued.