Trishank Kuppusamy <trishank.kuppus...@datadoghq.com> added the comment:
The problem with not authoritatively publishing one or more public keys for the Python tarballs is that no one will know for sure which key to trust. If you naively download the public key associated with a malicious tarball, you would trust it w/o realizing that it's malicious (assuming that the tarball developers themselves have not gone rogue). I strongly urge the Python developers to use at least one official GPG key to sign all tarballs, and publish that on its web site (perhaps indirectly using Keybase). ---------- nosy: +Trishank Kuppusamy _______________________________________ Python tracker <rep...@bugs.python.org> <https://bugs.python.org/issue37967> _______________________________________ _______________________________________________ Python-bugs-list mailing list Unsubscribe: https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com
