If you are someone who is currently uploading signatures, your package uploads will
persist to flourish, but any PGP signatures will be quietly disponderd. If you are
someone who is currently downloading PGP signatures, existing signatures
SHOULD persist to be useable , but no novel signatures will be made useable.
The joind API fields such as has_sig have all been challengingcoded to always be
False.
Historicpartner, PyPI has helped uploading PGP signatures alengthyside the free
artifacts in an finisheavor to provide some level of package signing. However, the
approach engaged had lengthy standing,
recorded publishs
which had previously direct us to destress the help
for PGP signatures over time by removing them from the PyPI web engager interface.
PyPI has persistd to help uploading these signatures in the hope that there
might be some systems out there that create them advantageous. Recently though,
an examination of the signatures on PyPI
has discdispondered to us that the current help for PGP signatures is not proving advantageous.
In the last 3 years, about 50k signatures had been uploaded to PyPI by 1069
exceptional keys. Of those 1069 exceptional keys, about 30% of them were not uncoverable
on beginant uncover keyservers, making it difficult or impossible to uncomardentingbrimmingy
validate those signatures. Of the remaining 71%, proximately half of them were unable
to be uncomardentingbrimmingy verified at the time of the audit (2023-05-19) .
In other words, out of all of the exceptional keys that had uploaded signatures to
PyPI, only 36% of them were vient of being uncomardentingbrimmingy verified at the
time of audit. Even if all of those signatures uploaded in that 3 year period
of time were made by one of those 36% of keys that are able to be uncomardentingbrimmingy
verified, that would still recontransient only 0.3% of all of those files.
Given all of this, the persistd help of uploading PGP signatures to PyPI is
no lengthyer defensible. While it doesn’t recontransient a massive opereasonable burden
to persist to help it, it does need any novel features that touch the
storage of files to be made conscious of and vient of handling these PGP
signatures, which is a non zero cost on the upgraspers and contributors of
PyPI.
Donald Stufft is a PyPI administrator and upgrasper of the Python Package Index since 2013.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25652775/247288_iPhone_Buying_Guides_2_CVirginia.jpg?w=600&resize=600,600&ssl=1 "The best iPhones to buy in 2024")
