yossarian (1.3.6.1.4.1.55738)PGP signatures on PyPI: worse than useless
https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI-worse-than-useless
Jürgen Gmach> nobody ever attempting to verify them
Well, that is not true. I was approached by some Linux distro packager that my key was not signed by the releaser of the previous release... Once 😂
i heard the same from another maintainer! he told me that a distro noticed that his key changed, and responded by removing verification entirely from his package.
meejah@yossarian @jugmac00 PyPI does its very, very best to hide the existence of any signature features, so that's not very surprising that not many try to use them -- and Debian definitely noticed that one time I signed with the wrong key.
@yossarian @jugmac00 (Also this would be a lot more compelling if some alternative was presented -- as it sits, how _else_ might Debian learn if the next txtorcon is published by the same person that did that last 20?)
Moshe Zadka@meejah @yossarian @jugmac00 Why does Debian check if the next txtorcon is uploaded by the same person? Having a team upload a package is a *good* practice, I hope distributions are not actively encouraging practices that cause maintainer burn-out.
Kushal Das 
🇸🇪@kushal @moshez @yossarian @jugmac00 Even if they do, there's other ... coping strategies .. for signatures (multiple maintainers on PyPI, shared keys, ...)
(I'm not _happy_ with gpg etc, but yet another article saying "pgp sux" isn't helping The Discourse much if no alternatives are presented)
@moshez @yossarian @jugmac00 In this case, yes I'm the only one. In other things I maintain there's more than one maintainer, so I suppose Debian has a system to encode that "these N keys are valid for Y packages".