← Back to context

Comment by bryanlyon

1 year ago

I came here thinking they were removing the PGP package from PyPi, but they're just removing a barely-used signature system? I don't know why they have to remove it though. I doubt it requires much maintenance now that it's already in place.

Even if only 37% of keys are verifiable, that's infinitely more than will be verifiable if they remove the PGP support.

2 comments

bryanlyon

Reply
tedivm  1 year ago

They address your comment directly in their post-

> While it doesn't represent a massive operational burden to continue to support it, it does require any new features that touch the storage of files to be made aware of and capable of handling these PGP signatures, which is a non zero cost on the maintainers and contributors of PyPI.

Avamander  1 year ago

> Even if only 37% of keys are verifiable, that's infinitely more than will be verifiable if they remove the PGP support.

Discoverable. That does not really verify anything about the key, its identities or the supposed signer.

It boils down to almost entirely to just an overcomplicated hashing system.