You can still publish a package without signing it; none of this is mandatory (or even implemented yet).
IMO, one of the things that Sigstore will need to do to become a "serious" codesigning solution for OSS ecosystems is support one or more vendor-neutral IdPs: Sigstore itself is a Linux Foundation project and thus might be able to serve as the right venue for that, or it could be a CA/B-style affair where individual neutral IdPs can qualify for inclusion.
You will run into this problem when developers from "fun" places like Russia and Iran try to sign packages since they are sanctioned by GitHub and other services. I am not sure about Python but quite a few high profile JavaScript libraries are by Russian engineers.
The goal of the big companies financing pypi and the other repositories is to identify users with a name, so they can easily ban russians/koreans/iranians/tomorrow's undesirables with ease.
With my PyPI administrator hat on, we have absolutely zero desire to ban anyone from PyPI for anything other than their actions on PyPI and in the Python ecosystem (uploading malware, etc).
If some class of users cannot use whatever signing solution we come up with, then we'll figure out an option for them or we'll scrap the solution completely.
You can still publish a package without signing it; none of this is mandatory (or even implemented yet).
IMO, one of the things that Sigstore will need to do to become a "serious" codesigning solution for OSS ecosystems is support one or more vendor-neutral IdPs: Sigstore itself is a Linux Foundation project and thus might be able to serve as the right venue for that, or it could be a CA/B-style affair where individual neutral IdPs can qualify for inclusion.
I'd love to make this happen, but there aren't really any IDPs that meet this criteria yet.
Happy to help get one going though!
You will run into this problem when developers from "fun" places like Russia and Iran try to sign packages since they are sanctioned by GitHub and other services. I am not sure about Python but quite a few high profile JavaScript libraries are by Russian engineers.
1 reply →
Ah yes. Let's give all of our personal information to USA… They are so trustworthy!
Eventually? You don't.
The goal of the big companies financing pypi and the other repositories is to identify users with a name, so they can easily ban russians/koreans/iranians/tomorrow's undesirables with ease.
With my PyPI administrator hat on, we have absolutely zero desire to ban anyone from PyPI for anything other than their actions on PyPI and in the Python ecosystem (uploading malware, etc).
If some class of users cannot use whatever signing solution we come up with, then we'll figure out an option for them or we'll scrap the solution completely.
Nice to know that I was wrong!