I'm using the Python Package Manager (PyPi) since a very long time and I couldn't help but notice that package signing feature isn't there at all (...
For further actions, you may consider blocking this person and/or reporting abuse
From the Reddit discussion it seems PGP is highly flawed. Using TUF would be much better but it's quite hard to implement. So they are just forgoing the whole thing since they don't have the time and resources to work on such features.
There is no flaw in PGP, many other highly used projects like Debian and Ubuntu sign their packages using PGP. It seems, they (Python team) just don't want to be hassled with storing so many authors' PGP public keys and managing them like debian/ubuntu does! However, this feature can be made optional, so that only those who want to sign will upload their keys.
Besides, if they don't like PGP then they should come up with some other solution. Just postponing such a critical security issue isn't a good thing.
There are flaws. Read
. There are other discussions online.
There are PEPs with proposals to fix the problem but they haven't been approved. Till then, developer vigilance is required.
If you’re concerned about this, then I would open an issue and maybe even propose a design to the
pipcommunity. Posting here isn’t actionable in any way. Bringing it up with thepipmaintainers is.Sure, you can open an issue but I doubt it'll be much helpful after reading this reddit thread. It seems they've deliberately chosen to not have package signing which seems beyond logic to me!
I know posting here isn't much actionable, consider this as just another rant!
You are quite right. I think the proper choice is github.com/JonathanLogan/codechain
There are certain interests out there that want to influence standards bodies to keep things as insecure as possible. It's not a conspiracy, it's reality.
From one of the original maintainers of
pip: caremad.io/posts/2013/07/packaging...Well, maybe a distributed Pypi (on IPFS) would help solve this problem: github.com/ipfs/notes/issues/28