←back to thread

PyPI now supports digital attestations

(blog.pypi.org)
218 points miketheman | 3 comments | 14 Nov 24 14:25 UTC | HN request time: 0.597s | source
1. cpburns2009 ◴[15 Nov 24 14:51 UTC] No.42147410[source]
The root point of this seems to be PyPI does not have the resources to manage user identity, and wants to outsource that component to Github, et al. That sounds fairly reasonable. But why deprecate GPG signatures? The problem with GPG signatures as I understand it is it's difficult to find the associated public key. That's fair. Why not host and allow users to add their public keys to their accounts? Wouldn't that solve the problem?
replies(1): >>42147481 #
2. dale_glass ◴[15 Nov 24 14:58 UTC] No.42147481[source]
GPG is an ancient bit of tech with numerous problems:

* An extremely complex, byzantine packet format with security problems of its own.

* Decades of backwards compatibility, which also harms security.

* Extreme unfriendliness towards automation.

* Way too many features.

* Encouragement of bad security practices like extremely long lived keys.

* Moribund and flawed ecosystem.

Lots of cryptographers agree that PGP has outlived its usefulness and it's time to put it out of its misery.

And really there's little need for GPG when package signing can be done more reliably and with less work without it.

I was a fan of PGP since the early days, but I agree that at this point it's best to abandon it.

replies(1): >>42147706 #
3. cpburns2009 ◴[15 Nov 24 15:22 UTC] No.42147706[source]
I'll take your word that GPG is outdated. GPG is just the one that PyPI used to support. I don't particularly care what public key signing suite is used.