|
|
|
|
|
|
by zimmerfrei
1039 days ago
|
|
|
That is not really a big improvement, as it just covers the threat of compromise for the CDN and any of proxies, but not of the PiPI infra itself. That is covered by PEP 480, which is already 9 years old: https://peps.python.org/pep-0480/ Too bad that PyPI (and pip) effectively killed PGP signatures under control of the developers (therefore truly end to end) even with the simple TOFU model, and without providing an alternative. |
|
|