Thanks to visit codestin.com
Credit goes to lwn.net

|
|
Log in / Subscribe / Register

Removal of any signatures system

Removal of any signatures system

Posted Apr 12, 2018 17:59 UTC (Thu) by mikemol (guest, #83507)
In reply to: Removal of any signatures system by sumanah
Parent article: A new package index for Python

If I read that Simple Project API documentation correctly, those aren't signatures, those are hashes. There's no key ID, so there's no way to tie an identity to the hash.

Don't get me wrong; the hashes are useful and carry value, but they're not _signatures_, they're just tamper checks.

to post comments

Removal of any signatures system

Posted Apr 12, 2018 21:36 UTC (Thu) by sumanah (guest, #59891) [Link]

mikemol, thanks for the heads-up. That's not clear enough and we need to fix the docs. The signatures are available, but the API response does not specifically mention the signature filenames and the user has to concatenate a .asc suffix onto a filename to check whether that signature exists. So, we host the signatures but don't make it easy to retrieve them or check whether a particular release is associated with a signature or not. This is, I will admit, very inconvenient for people who want to check for signatures.

Removal of any signatures system

Posted Apr 13, 2018 22:33 UTC (Fri) by sumanah (guest, #59891) [Link]

Fixed the docs. Thanks again.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds