← Back to context

Comment by Taywee

1 year ago

> That's exactly what I (also) want, that is, knowing that the authors remained the same, whoever they are

The authors are often many people. You can have one person signing on behalf of all the others. PGP isn't going to tell you that the authors remained the same, only that the signer did (or that many people have access to the same private key and hopefully every one of them is completely trustworthy).

PGP doesn't let you verify that the authors remained the same. Only the key. If you wanted to actually verify authors, you'd have to have all of them sign their own commits, and you'd have to validate every commit, not just the release, otherwise you're just back to trusting whoever holds the key. Many projects very regularly get new committers, too, so you'd have to validate many new signatures with every single update.

> Nope, nobody really needs more of that, since that's what's your HTTPS certificate is for.

No it's not. Your HTTPS certificate will not tell you "this PyPi package release is actually built and uploaded by the same person who controls the GitHub repository linked on the package page". PyPi hosts distributions. It frequently has source distributions, but it doesn't necessarily host "source code", which would usually mean the source repository. Even with that, it's Transport Layer Security, or a Secure Socket Layer. It does not authenticate anything other than the Socket/Transport itself.

I'm fine with PGP, but most people don't really know how to use it. They add a key and think they're safe when it validates, but that only protects you if you already trust the key. PGP signing doesn't tell you "this is safe", just "this was signed by the person who has the private key for this public key", which isn't as useful without a lot of personal footwork or a trusted authority.

PGP key signing parties were a thing for a reason. Using PGP properly requires either an initial leap of trust (importing your distro's keys and trusting what they trust), a lot of dilligence (personally verifying identities), or a small amount of dilligence with a good web of trust (you sign keys that you know are good, and so does everybody you know, so a lot of what you find online you can validate through your links).

3 comments

Taywee

Reply
bombolo  1 year ago

The people in charge of doing a release, with the permissions to do so, are a much smaller subset than the authors.

And PGP does support web of trust, so if the previous release guy trusts the new release guy… perhaps we could accept it as well.

  • woodruffw  1 year ago

    > And PGP does support web of trust, so if the previous release guy trusts the new release guy… perhaps we could accept it as well.

    PGP's web of trust has been broken since at least 2019[1]. GPG removed support for it years ago.

    (This is a recurring problem with PGP: if you search these things, you're given the false impression that it's all still humming along.)

    [1]: https://inversegravity.net/2019/web-of-trust-dead/

    • upofadown  1 year ago

      Web of trust based on signatures on keyservers is dead. That is not what is being suggested here.