> On Mar 31, 2018, at 11:23 PM, Scott Kitterman <deb...@kitterman.com> wrote: > > What replaces gpg for ensuring integrity of the uploaded code?
To be clear, PGP signatures can still be uploaded and they are still available for download, they just don’t appear in the UI anymore. Longer term I’d *like* to get rid of PGP signatures, because I think their value here is actually pretty low. In that case they’d be replaced with TUF, but that’s a longer term project.
