Comment by bee_rider
7 hours ago
I dunno, not all projects are equally important or popular, so it seems to me that the number of downloads which had keys is the better metric to look at.
But, if there are fundamental issues with the key system anyway, the percentages don’t matter anyway.
You're absolutely right that the number of downloads is probably a more important metric! But also yes, I think the basic "can't discover valid keys for a large majority of packages" is a sufficient justification, which is why I went with it :-)
The raw data behind the blog post is archived here[1]. It would be pretty easy to reduce it back down to package names, and see which/what percent of those names are in the top 500/1000/5000/etc. of PyPI packages by downloads. My prediction is that there's no particular relationship between "uploads a PGP key" and popularity, but that's speculative.
[1]: https://github.com/woodruffw/pypi-pgp-statistics