Comment by sacnoradhq
1 year ago
So how are Python packages signed? Are they just shipping rando code without any sort of E2E assurance?
FWIW, Ruby also did a piss-poor job of handling gem signing by making it both difficult and optional.
How fucking hard is it to get to the level of code release assurance as Debian or Fedora? Manage GPG keys, signfest them, and enforce a policy.
No comments yet
Contribute on Hacker News ↗