Hacker News new | ask | show | jobs
by ArchOversight 604 days ago
This is related to the distribution of CPython itself, the key verification for those artifacts does work and has worked forever. The packaging referred to by the article is about packaging Python itself by upstream distributions.

Python packages developed by third party developers and uploaded to PyPi are indeed not verifiable due to the key issues you mentioned, and is a minor note in the article.
2 comments
woodruffw 604 days ago
> the key verification for those artifacts does work and has worked forever.

Go try to verify some of the PGP signatures on CPython releases that are older than 2.7. You might be surprised.

link
westurner 604 days ago
W3C DIDs are verifiable e.g with blockchain-certificates/cert-verifier-js and blockchain-certificates/cert-verifier (Python).

If PyPI is not a keyserver, if it only hosts the attestations and checks checksums, can it fully solve for [Python] software supply chain security?

A table comparing the various known solutions might be good; including md5, sha3, GPG .ASC signatures, TUF, Uptane, Sigstore (Cosign + Rekor), PyPI w/w/o attestations, VC Verifiable Credentials, and Blockcerts (Verifiable Credentials (DIDs))

link