Comment by woodruffw
1 year ago
> The package index only hosts the packages, but doesn't release them. The dev releasing the package is who signs it.
I know that; the GP is describing a countersigning scheme, where the package index (qua trusted entity) countersigns for the signing key, which the dev then uses to sign for their package.
> Without an easy way to verify the keys, the signatures are useless. Which is why PiPy is removing the GPG keys all together.
Agreed entirely; I'm the one who wrote the analysis in the linked announcement :-)
No comments yet
Contribute on Hacker News ↗