Hello,
In data mercoledì 15 novembre 2023 03:21:34 CET, Simon Richter ha scritto:
> disqualifying factor. Upload permissions are tied to a gpg key, and the
> holder of the key needs to at least demonstrate good practices in using
> gpg
I was recently discussing with pypi and core python developers, and it seems
that their take is very different than ours.
It seems that pypi completely removed support for signed updates, and instead
now verification happens if you upload from a github pipeline.
It has been suggested that I'm a bit paranoid for stating that putting my
private key on a microsoft server renders the signature with that key
completely meaningless.
I of course disagree, but the opinion of people in such key positions is
easily valued more.
Perhaps we need an explicit policy in how to handle keys, since there are very
different opinions about what it is ok to do with them.
Best
--
Salvo Tomaselli
"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di
senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
-- Galileo Galilei
https://ltworf.codeberg.page/Attachment:
signature.asc
Description: This is a digitally signed message part.