Comment by bombolo
1 year ago
> What happens if the developer looses his key? Or if it expires?
What happens if a developer loses their google titan key that is required to login into pypi?
1 year ago
> What happens if the developer looses his key? Or if it expires?
What happens if a developer loses their google titan key that is required to login into pypi?
They either have their backup codes or there's probably a manual process the pypi team can get them their account back if they can sufficiently show they are the real developers. If you have any form of automated signature verification you basically need a concept how to handle recovery. But if this concept comes down to "trust pypi", then you really can just skip the whole thing and rely on pypi giving you the right packages and https to secure the connection).