Removing PGP from PyPI (2023)

(blog.pypi.org)

72 points harporoeder | 1 comments | 17 Oct 24 20:03 UTC | HN request time: 0.429s | source

Show context

upofadown ◴[17 Oct 24 22:50 UTC] No.41874613[source]▶

> Of those 1069 unique keys, about 30% of them were not discoverable on major public keyservers, making it difficult or impossible to meaningfully verify those signatures. Of the remaining 71%, nearly half of them were unable to be meaningfully verified at the time of the audit (2023-05-19).

A PGP keyserver provides no identity verification. It is simply a place to store keys. So I don't understand this statement. What is the ultimate goal here? I thought that things like this mostly provided a consistent identity for contributing entities with no requirement to know who the people behind the identities actually were in real life.

replies(2): >>41874636 #>>41874649 #

ploxiln ◴[17 Oct 24 22:54 UTC] No.41874636[source]▶

>>41874613 #

These keys could have related signatures from other keys, that some users or maintainers may have reason to trust.

(But for 30% of keys this was not even theoretically possible, while for another 40% of keys it was not practically possible, according to the article.)

replies(1): >>41880011 #

1. upofadown ◴[18 Oct 24 14:54 UTC] No.41880011[source]▶

>>41874636 #

Do you mean like how Debian signs the keys of maintainers? My point is that nothing like that was done in this case. It is hard to know what went wrong when there didn't seem to be any policy in the first place.

↑