Just when I thought that I couldn’t possibly be more disappointed by #Python's tooling and environment, now #PyPI is no longer supporting #OpenPGP signatures: https://blog.pypi.org/posts/2023-05-23-removing-pgp/

Their rationale for doing so is one of the stupidest things I‘ve ever read about OpenPGP — and I’ve read a lot of stupid takes about OpenPGP over the years!

It basically boils down to two points:

1) One-third of the public keys used “were not discoverable on major public #keyservers, making it difficult or impossible to meaningfully verify those signatures”.

2) Half of the other keys “were unable to be meaningfully verified at the time of the audit“.

On the first point: just because you can‘t find a key on keyservers doesn‘t mean the key can’t be used. Keyservers have never been the one and only way to distribute keys. Actually, the OpenPGP world has been moving away from keyservers for several years already, and most keyservers are slowly dying. The keyserver from the Sequoia-PGP folks is one of the few exceptions.

On the second point: WTF? Just because you were unable to verify to “meaningfully verify” a key doesn’t mean anything! The validity of an OpenPGP key is not something absolute that can be verified by an auditor and then held true for everybody. The entire point of OpenPGP, compared to the X.509 world, is that it is up to each individual user to verify the validity of keys (possibly using the #web-of-trust, but that’s not the only way, and actually, as for the keyservers, the OpenPGP world has been moving away from the WoT). A key that is unverified for Alice may very well be perfectly valid for Bob.

New user and new project name registration on PyPI is temporarily suspended. The volume of malicious users and malicious projects being created on the index in the past week has outpaced our ability to respond to it in a timely fashion

Last time I checked, #PyPI didn't even sign packages. Which means in using it you're trusting their public-facing servers to be constantly free of intrusion. Why don't they follow the lead of Debian or Mozilla?

#malware #infosec #supplychain