Comment by crote
1 year ago
>> knowing that the authors remained the same
The problem is that "authors" is not a well-defined concept, and especially larger projects will have very regular author changes. Is the author the person who made the last commit? The person who uploaded it to PyPI? The person who is currently managing the project? What if it isn't a person but a company?
>> that's what's your HTTPS certificate is for
A lot of open source projects rely on untrusted third-party mirrors. The main server will just randomly redirect you to a mirror near you, so HTTPS certificates are pretty much useless because you are connecting to a third-party domain. They use signatures to prevent the mirror from doing weird stuff, and they guarantee that the mirror is serving the upstream content as-is.
The author is the person holding the release signing key
"The"? Multiple people may hold the key.
"Person"? The release could be part of an automated process.
> and especially larger projects will have very regular author changes
We're not checking the signature of every commit, just of the release. It is usually 1 or 2 people who do releases.
But in this case we lose one way of defining authors.