[guappa]

> to virtually no complaint since nobody was actually verifying any of the signatures

And this is in no way a consequence of pypi stopping to host public keys right? Say the whole story at least… Say that there used to be a way to verify the signatures but you dropped it years ago and since then the signatures have been useless.

[woodruffw]

If it did, it was well before I ever began to work on PyPI. By the time I came around, PGP signature support was vestigial twice over and the public key discovery network on the Internet was rapidly imploding.

(But also: having PyPI be the keyserver defeats the point, since PyPI could then trivially replace my package's key. If that's the "whole story," it's not a very good one.)

[freeone3000]

This attestation doesn’t change a ton with that, though. The point is to provide chain of custody — it got to my computer, from pypi, from ???. The PGP signature, much like a self-signed android app, verifies that it continues to be the same person.

[woodruffw]

The critical difference with this architecture is that it doesn’t require key discovery or identity mapping: those are properties of the key infrastructure, similarly to the Web PKI.

Your self-signed app analogy is apt: self-signing without a strong claimant identity proof is a solution, but a much weaker one than we wanted.

[guappa]

It was a plural you. I have no idea who you personally are.