←back to thread

Removing PGP from PyPI (2023)

(blog.pypi.org)
61 points harporoeder | 1 comments | 17 Oct 24 20:03 UTC | HN request time: 0.205s | source
Show context
upofadown ◴[17 Oct 24 22:50 UTC] No.41874613[source]
> Of those 1069 unique keys, about 30% of them were not discoverable on major public keyservers, making it difficult or impossible to meaningfully verify those signatures. Of the remaining 71%, nearly half of them were unable to be meaningfully verified at the time of the audit (2023-05-19).

A PGP keyserver provides no identity verification. It is simply a place to store keys. So I don't understand this statement. What is the ultimate goal here? I thought that things like this mostly provided a consistent identity for contributing entities with no requirement to know who the people behind the identities actually were in real life.

replies(2): >>41874636 #>>41874649 #
1. ploxiln ◴[17 Oct 24 22:54 UTC] No.41874636[source]
These keys could have related signatures from other keys, that some users or maintainers may have reason to trust.

(But for 30% of keys this was not even theoretically possible, while for another 40% of keys it was not practically possible, according to the article.)