DEV Community

Discussion on: Why doesn't the python package manager (PIP) have package signing feature?

Collapse
 
michaelbukachi profile image
Michael Bukachi

From the Reddit discussion it seems PGP is highly flawed. Using TUF would be much better but it's quite hard to implement. So they are just forgoing the whole thing since they don't have the time and resources to work on such features.

Collapse
 
prahladyeri profile image
Prahlad Yeri • Edited

There is no flaw in PGP, many other highly used projects like Debian and Ubuntu sign their packages using PGP. It seems, they (Python team) just don't want to be hassled with storing so many authors' PGP public keys and managing them like debian/ubuntu does! However, this feature can be made optional, so that only those who want to sign will upload their keys.

Besides, if they don't like PGP then they should come up with some other solution. Just postponing such a critical security issue isn't a good thing.

Collapse
 
michaelbukachi profile image
Michael Bukachi

There are flaws. Read this. There are other discussions online.
There are PEPs with proposals to fix the problem but they haven't been approved. Till then, developer vigilance is required.