Hi, > To be clear, PGP signatures can still be uploaded and they are still > available for download, they just don’t appear in the UI anymore. So, what does the pypi.debian.net redirector use for uscan? I imagine it used to scrape the website. Can it be changed to use the JSON API? > Longer term I’d *like* to get rid of PGP signatures, because I think > their value here is actually pretty low. I partially share this opinion, but that's a question to be discusses with the Debian policy people in general. While checking a GPG signature on the source tarball in general is a good idea, I am afraid some developers just drop any key they find on first glance into the package and are done with it, which actually provides nothing but a false sense of safety. > In that case they’d be replaced with TUF, but that’s a longer term > project. That one?: https://github.com/theupdateframework/tuf Well, I can only say *please* do not remove the possibility to upload signed source tarballs, but leave that to the developers! -nik -- PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 Dominik George · Hundeshagenstr. 26 · 53225 Bonn Phone: +49 228 92934581 · https://www.dominik-george.de/ Teckids e.V. · FrOSCon e.V. · Debian Developer LPIC-3 Linux Enterprise Professional (Security)
Attachment:
signature.asc
Description: PGP signature