← Back to context

Comment by woodruffw

1 year ago

> Does this make any sense?

It makes sense in terms of trusting the package index, but it's inverted from the original design goal: the point of end-user signatures on package indices is to eliminate unnecessary package index trust, not reinforce it.

If you already trust the package index, then mandating HTTPS and strong cryptographic digests is going to be far more effective (and secure) than some kind of PGP key attestation scheme.

2 comments

woodruffw

Reply
reidrac  1 year ago

The package index only hosts the packages, but doesn't release them. The dev releasing the package is who signs it.

Without an easy way to verify the keys, the signatures are useless. Which is why PiPy is removing the GPG keys all together.

  • woodruffw  1 year ago

    > The package index only hosts the packages, but doesn't release them. The dev releasing the package is who signs it.

    I know that; the GP is describing a countersigning scheme, where the package index (qua trusted entity) countersigns for the signing key, which the dev then uses to sign for their package.

    > Without an easy way to verify the keys, the signatures are useless. Which is why PiPy is removing the GPG keys all together.

    Agreed entirely; I'm the one who wrote the analysis in the linked announcement :-)