Codestin Search App

Removal of any signatures system

Posted Apr 12, 2018 21:43 UTC (Thu) by anarcat (subscriber, #66354)
In reply to: Removal of any signatures system by dstufft
Parent article: A new package index for Python

In the Debian packaging workflow, OpenPGP certifications are useful. The workflow goes a bit like this:

1. software gets packaged in Debian
2. linting tools warn that PGP signatures could be checked
3. maintainer checks if upstream tarballs have a signature
4. if they do, the public key responsible for the signature is added to the Debian package
5. future updates to the package will verify the tarball with the signature, using a TOFU model

In step 4, it is useful to have the key available from PyPI instead of fishing it outside. Inciting maintainers to publish their keys on PyPI also helps in making that model work.

But again, I understand where you're coming from and I am very thankful and happy for the new PyPI. It seems you have done an awesome job with a huge project, and I didn't mean to nitpick on this pet peeve of mine. ;) So: congrats, and I'm curious to see what TUF for in PyPI in the future!