Hacker News new | ask | show | jobs
by thewataccount 1060 days ago
I'm confused as to why package signing isn't standard for all package managers.

Didn't Pypi just remove signing too?
1 comments
bravetraveler 1060 days ago
PyPi did indeed, but it's a fairly interesting case. It was removed because the implementation was ineffective

More information on that here: https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI...

There was a lot of talk about why this didn't go the other way; keeping signing, but making the practice meaningful. I forget the details about that.

link