Comment by usr1106

Removing security features that don't work is a separate concern from making security features that do work. Nobody who has done any serious work on PyPI security in the past 15 years thinks that GPG will play a part in the future of PyPI security. It's support was entirely vestigial, served no practical purpose, and never would.

Most supply chain attacks rely on dependency confusion or typo-squatting, which PGP signing doesn't solve. An attacker can PGP sign their typosquatted package, and the package manager won't know to alert you because as far as it can tell, you intended to install that package. (This is before even considering whether the packages are signed with strong keys, or users are actually verifying them against any public trust store.) That's one reason supply chain issues are so pernicious - they're more of a human problem than a technical one.

That said, I do agree with your premise that the limited usefulness of PGP signing doesn't necessitate removing the feature entirely.

> Isn't that throwing out the baby with the bathwater?

That assumes there’s a baby in the bath water.

> But instead of improving security measures that don't work well they just remove them?

Well yes, “security measures” which don’t work are usually worse than nothing.

There are many cases where it's better to know you don't have something correctly than think you have something incorrectly. Security is certainly one.