PyPI removes PGP-signature support

by
corbet
from LWN.net on (#6BW3E)
The PyPI package archive has removed supportfor PGP signatures on packages.

In other words, out of all of the unique keys that had uploadedsignatures to PyPI, only 36% of them were capable of beingmeaningfully verified at the time of audit. Even if all of thosesignatures uploaded in that 3 year period of time were made by oneof those 36% of keys that are able to be meaningfully verified,that would still represent only 0.3% of all of those files.

Given all of this, the continued support of uploading PGPsignatures to PyPI is no longer defensible.

External Content
Source RSS or Atom Feed
Feed Location http://lwn.net/headlines/rss
Feed Title LWN.net
Feed Link https://lwn.net/
Reply 0 comments