Comment by woodruffw
1 year ago
> There is some security even if they provide the public key.
That security is integrity, which PyPI already provides through strong cryptographic digests of each package distribution. Codesigning schemes need to provide authenticity, not just integrity; a codesigning scheme that's downgradeable to arbitrary key trust is a more complicated than necessary hashing scheme.
No comments yet
Contribute on Hacker News ↗