Donald Stufft <don...@stufft.io> writes: > https://mail.python.org/pipermail/distutils-sig/2016-May/028933.html > <https://mail.python.org/pipermail/distutils-sig/2016-May/028933.html>
"I am aware of a single tool anywhere that actively supports verifying the signatures that people upload to PyPI, and that is Debian's uscan program. Even in that case the people writing the Debian watch file have to hardcode in a signing key into it and in my experience, when faced with a validation error it's not unusual for Debian to simply disable signature checking for that project and/or just blindly update the key to whatever the new key is." I would never just blindly disable signature checking or update the key without carefully checking that this is legitimate first (and/or carefully checking the diff). For example, if releases were signed by person A, but now signed by person B, there should be some sort of public record of this fact. If not, ask on a public forum. If you remove signatures (or don't supply them in the first place), then we - as Debian packagers - have no way of validating the upload. So you only need to compromise the package the maintainer downloads, and subsequently everyone who uses the (signed) Debian packaging is affected. If however PyPI were to remove signatures, this would make the decision whether to use PyPI or github as the source somewhat easier. -- Brian May <b...@debian.org>