Comment by WhyNotHugo
1 year ago
When many developers didn't use 2FA they pushed for them to enable 2FA within a deadline. It sounds like the same approach could have been used for PyPI. E.g.: an attempt to make the feature useful before declaring it dead forever.
This has very little to do with 2FA: PGP signing has been de facto dead for years on PyPI, and this change has no effect on publishing workflows: PyPI will still accept uploads that contain signatures, and just ignores them now.
It's also not accurate to say that PyPI failed to make 2FA useful: it was deployed for over two years before the 2FA mandate for critical projects went into effect. That mandate also came with free hardware keys for everyone affected.
No. 2FA is a feature for pypi, and developers. The entire purpose of pgp sigs was external, it was for distributions to use.
Distributions don’t use it, therefore it’s worthless, just just overhead and technical debt.
Debian checks PGP signatures of releases.
For Python packages served by PyPI?
1 reply →