Hello, In data mercoledì 15 novembre 2023 03:21:34 CET, Simon Richter ha scritto: > disqualifying factor. Upload permissions are tied to a gpg key, and the > holder of the key needs to at least demonstrate good practices in using > gpg I was recently discussing with pypi and core python developers, and it seems that their take is very different than ours. It seems that pypi completely removed support for signed updates, and instead now verification happens if you upload from a github pipeline. It has been suggested that I'm a bit paranoid for stating that putting my private key on a microsoft server renders the signature with that key completely meaningless. I of course disagree, but the opinion of people in such key positions is easily valued more. Perhaps we need an explicit policy in how to handle keys, since there are very different opinions about what it is ok to do with them. Best -- Salvo Tomaselli "Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno." -- Galileo Galilei https://ltworf.codeberg.page/
Attachment:
signature.asc
Description: This is a digitally signed message part.