> On Apr 1, 2018, at 2:27 AM, Dominik George <naturesha...@debian.org> wrote: > > Hi, > >> To be clear, PGP signatures can still be uploaded and they are still >> available for download, they just don’t appear in the UI anymore. > > So, what does the pypi.debian.net redirector use for uscan? I imagine it > used to scrape the website. Can it be changed to use the JSON API?
The original PoC I wrote used the JSON API, but I don’t think what’s being deployed is descendant from my PoC so I have no idea what it uses, but if it’s not using the JSON API then yes it can be. > >> Longer term I’d *like* to get rid of PGP signatures, because I think >> their value here is actually pretty low. > > I partially share this opinion, but that's a question to be discusses with > the Debian policy people in general. While checking a GPG signature on the > source tarball in general is a good idea, I am afraid some developers just > drop any key they find on first glance into the package and are done with > it, which actually provides nothing but a false sense of safety. > >> In that case they’d be replaced with TUF, but that’s a longer term >> project. > > That one?: https://github.com/theupdateframework/tuf > <https://github.com/theupdateframework/tuf> Yes. > > Well, I can only say *please* do not remove the possibility to upload signed > source tarballs, but leave that to the developers! > > -nik > > -- > PGP-Fingerprint: 3C9D 54A4 7575 C026 FB17 FD26 B79A 3C16 A0C4 F296 > > Dominik George · Hundeshagenstr. 26 · 53225 Bonn > Phone: +49 228 92934581 · https://www.dominik-george.de/ > > Teckids e.V. · FrOSCon e.V. · Debian Developer > > LPIC-3 Linux Enterprise Professional (Security)
signature.asc
Description: Message signed with OpenPGP
