Re: the new PyPI, coming next month

[Donald Stufft <donald@stufft.io>]

On Apr 1, 2018, at 2:27 AM, Dominik George <natureshadow@debian.org> wrote:

Hi,

To be clear, PGP signatures can still be uploaded and they are still
available for download, they just don’t appear in the UI anymore.

So, what does the pypi.debian.net redirector use for uscan?  I imagine it
used to scrape the website.  Can it be changed to use the JSON API?

The original PoC I wrote used the JSON API, but I don’t think what’s being deployed is descendant from my PoC so I have no idea what it uses, but if it’s not using the JSON API then yes it can be.

Longer term I’d *like* to get rid of PGP signatures, because I think
their value here is actually pretty low.

I partially share this opinion, but that's a question to be discusses with
the Debian policy people in general.  While checking a GPG signature on the
source tarball in general is a good idea, I am afraid some developers just
drop any key they find on first glance into the package and are done with
it, which actually provides nothing but a false sense of safety.

In that case they’d be replaced with TUF, but that’s a longer term
project.

That one?: https://github.com/theupdateframework/tuf

Yes.

Well, I can only say *please* do not remove the possibility to upload signed
source tarballs, but leave that to the developers!

-nik

--
PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17  FD26 B79A 3C16 A0C4 F296

Dominik George · Hundeshagenstr. 26 · 53225 Bonn
Phone: +49 228 92934581 · https://www.dominik-george.de/

Teckids e.V. · FrOSCon e.V. · Debian Developer

LPIC-3 Linux Enterprise Professional (Security)

Attachment: signature.asc
Description: Message signed with OpenPGP