On 8/24/25 3:12 PM, Michał Górny wrote: > Hi, > > Here's a patchset that introduces provenance verification (i.e. > verify-sig equivalent) for pypi.eclass.
I strongly believe this should *not* be merged. There are a couple reasons why I don't think this is beneficial and would strongly push back against implementing it in any package I maintain (even if the relevant files are uploaded to PyPI). But the main issue is the one you said already in IRC: "yes, it worked. yes, it's all theater" I am opposed to implementing anything which even the author thinks is useless. I am opposed to implementing anything which constitutes "security theater as a matter of policy". Security theater is a *net negative*. It makes people think that security guarantees exist which don't in fact exist, and they let down their guard. -- Eli Schwartz
OpenPGP_signature.asc
Description: OpenPGP digital signature
