On Sun, 2025-09-07 at 04:25 -0400, Eli Schwartz wrote: > Meanwhile, the fact that provenance exists at all has measurably > decreased the security of software I care about, since provenance was > used as an excuse to disable the ability of members of the PGP community > to upload code-signing attestations, and consequently, authors of > software I package and use have said "it's not worth fighting PyPI, no I > won't upload to github releases, blame PyPI. I'll just only continue > signing my non-PyPI software projects". > > I think it sends an extremely bad message to approve and condone > something that will always pass provenance checks **even if it is > malicious**, and frankly I'm not sure why despite *you* saying it's > security theater, you're determined to add it anyway.
I'm not really happy about the push against OpenPGP either, but I don't see how sulking over this and pretending attestations don't exist is going to help us. What I really prefer to do is make the best of this, and use it as an argument to have test files in source distributions, so we wouldn't have to rely on autogenerated GitHub archives. -- Best regards, Michał Górny
signature.asc
Description: This is a digitally signed message part
