Comment by woodruffw
11 hours ago
> I mean it seems like a pretty big step up security wise to know that a new version of a package is signed with the same key was previous versions.
A key part of the rationale for removing PGP uploads from PyPI was that you can't in fact know this, given the current state (and expected future) of key distribution in PGP.
(But also: yes, it's indeed important that the key can be verified i.e. considered authentic for an identity. Without that, you're in "secure phone call with the devil" territory.)
> A key part of the rationale for removing PGP uploads from PyPI was that you can't in fact know this, given the current state (and expected future) of key distribution in PGP.
I find that hard to believe. The public key or at least its fingerprint should be in the signature itself.