undefined | Better HN

0 pointswoodruffw3y ago0 comments

Yep. Unfortunately, PGP's keyserver network has been dead for years[1]. There are two big (non-synchronizing) ones left, and they're the two I used to do the analysis that's linked in this announcement (meaning they're the ones that are largely missing well-formed keys for the signatures on PyPI).

This was discussed a bit on Sunday's thread[2], and my understanding is that Maven's ability to use PGP in this way is effectively due to Sonatype assuming a large amount of operational and maintenance burden. PyPI doesn't have those kind of resources available to it. Even assuming that the service was gifted that kind of support, it would still cause a lot of heartburn with existing signatures and carry forwards all of the legacy baggage of PGP that we're trying to eliminate entirely.

[1]: https://gist.github.com/rjhansen/67ab921ffb4084c865b3618d695...

[2]: https://news.ycombinator.com/item?id=36021172

0 comments

2 comments · 1 top-level

bombolo3y ago· 1 in thread

It seems pypi should launch their own new keyserver, rather than removing PGP.

In any event, they will ask for a photo of the ID in the future. Google has already written on their security blog that this is where they're going, and from the whole google titan keys event, we know who decides on behalf of pypi.

masklinn3y ago

Pypi doesn’t have the resources it needs to do its own job, they’re not going to waste more resources they don’t have on a dead-end technology they don’t have a use for.

j / k navigate · click thread line to collapse