GnuPG signatures on PyPI: why so few?
Howdy all,
What prospects are there for PyPI to have GnuPG-signed packages by default?
Debian's UScan has the ability to find, download, and verify the GnuPG
signature for a package source release. Lintian will remind the
maintainer if a Debian source package is not taking advantage of this.
However, this only works if upstream releases are actually accompanied
by a valid GnuPG signature each time. The PyPI infrastructure supports
this; why isn't it more widely encouraged?
This thread from 2016 has a possible answer:
while you can use GPG as is to verify that yes, "Donald Stufft"
signed a particular package, you cannot use it to determine if
"Donald Stufft" is *allowed* to sign for that package, a valid
signature from me on the requests project should be just as invalid
as an invalid signature from anyone on the requests project. The
only namespacing provided by GPG itself is "trusted key" vs "not
trusted key".
[…] I am aware of a single tool anywhere that actively supports
verifying the signatures that people upload to PyPI, and that is
Debian's uscan program. […]
All in all, I think that there is not a whole lot of point to having
this feature in PyPI, it is predicated a bunch of invalid
assumptions (as detailed above) and I do not believe end users are
actually even using the keys that are being uploaded.
[…] Thus, I would like to remove this feature from PyPI […].
<URL:https://mail.python.org/pipermail/distutils-sig/2016-May/028933.html>
The thread has some discussion, and Barry Warsaw makes the case for
Debian's use for signed releases. The last (?) post in the thread has a
kind of interim conclusion:
My main concern when implementing this is how to communicate it to
users […]. [A move that gives the impression] "we're getting rid of
this thing that only kinda works now in favor of something amazing
that doesn't exist yet" is just not a popular move.
<URL:https://mail.python.org/pipermail/distutils-sig/2016-May/028946.html>
In response to polite requests for signed releases, some upstream
maintainers are now pointing to that thread and closing bug reports as
“won't fix”.
What prospect is there in the Python community to get signed upstream
releases become the obvious norm?
--
\ “It is the fundamental duty of the citizen to resist and to |
`\ restrain the violence of the state.” —Noam Chomsky, 1971 |
_o__) |
Ben Finney
Reply to: