Python PGP proposal poses packaging puzzles

This leaves out the important context that key verification for these packages isn&#x27;t functional.<p><i>In the last 3 years, about 50k signatures had been uploaded to PyPI by 1069 unique keys. Of those 1069 unique keys, about 30% of them were not discoverable on major public keyservers, making it difficult or impossible to meaningfully verify those signatures. Of the remaining 71%, nearly half of them were unable to be meaningfully verified at the time of the audit (2023-05-19) 2.</i><p>More, recently, on this thread:<p><a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=41873215">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=41873215</a>

&gt;In the PEP, Larson argues that providing PGP and sigstore signatures fails to give downstream projects any incentive to adopt sigstore. So long as CPython continues to provide PGP signatures, there is little motivation to adopt sigstore.<p>No better way to convince people to use a standard than forcing them. Taking away choice by force sounds a bit contradictory to the idea of Open Source. I mean, maybe sigstore is a better idea, but why not let people make their choice.

Awesome alliteration always achieves amusement.

I&#x27;m not an openbsd person, though maybe one day!, but why change to complicated failure-prone tech when you could have something simpler and more secure?<p><a href="https:&#x2F;&#x2F;man.openbsd.org&#x2F;signify" rel="nofollow">https:&#x2F;&#x2F;man.openbsd.org&#x2F;signify</a> <a href="https:&#x2F;&#x2F;github.com&#x2F;aperezdc&#x2F;signify">https:&#x2F;&#x2F;github.com&#x2F;aperezdc&#x2F;signify</a><p>I used to use PGP yubikey for everything but the subkey renewal process was so onerous I switched to PIV keys with age and haven&#x27;t looked back. Never mind all those legacy ciphers in GPG are just attack vectors that haven&#x27;t happened yet.