yossarian (1.3.6.1.4.1.55738)PGP signatures on PyPI: worse than useless
https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI-worse-than-useless
Gregory P. Smith (he/him) 
🚲🦝 
@yossarian
PGP signatures: worse than useless.
There, I fixed it for you.
As tools GPG (and PGP) are simply unusable by anyone but fastidious zealot pedants. And thus always used wrong.
Kushal Das 
🇸🇪@gpshead @yossarian @glyph I still have hope to fix the usability of tools/services in future. I know most of my friends totally lost all hope :)
Glyph@kushal @gpshead @yossarian the world needs more good signing and security tools, but the sooner you abandon GPG (and OpenPGP more broadly) the sooner you can start building those ;-). There's really nothing worth salvaging here.
@glyph @gpshead @yossarian I beg to differ on that point. @[email protected] & I are building https://tumpa.rocks/
Here is an example where we can have better UX focused tools in the #OpenPGP land.
Mark Eichin@kushal @eichin I am seriously curious though: what about your problem domain makes GnuPG a desirable component? Why not throw its broken overcomplexity in the trash, define what you want your app to do in terms of user security guarantees, and then build it on top of a good backend or a novel cryptographic construction instead? I know "roll your own crypto" is bad, but it's a cut above "wrap gnupg"
@glyph @[email protected] Something that works for both encryption & signing. Bonus is that I can use the same for my ssh. Works out of my Yubikey, means no secret on disk. My mutt setup mostly works :)
I can see the pain points and hoping to improve them by creating newer things with usability in mind.
On the software side, most of the applications I install separately uses OpenPGP to sign the artifacts, including @fedora and also #debian.
8@gpshead @yossarian @glyph this take always makes me imagine a civil engineer standing next to wet concrete, checking her watch and muttering "nobody has time for this shit"
@glyph @gpshead @yossarian after writing and deleting a few pithy but vague drafts, the point I would like to reach is about engineering ethics. Big blocks of the tech world are not commissioned safely, merely appropriated from the fastidious pedant community. That community is a Venn diagram of many circles most of which are not labelled "engineer" at all. PGP is not fit for purpose and yet I am using PYPI rather than tagging it out for my org until controls are in place. That gives me pause.
@Octarine @gpshead @yossarian sorry, I cannot parse this at all. PGP is not used for anything on PyPI, so I don’t see how it is related to your use of PyPI. I don’t know what “tagging it out” means. I don’t know what controls you’re referring to, or why you haven’t put them in place.
@glyph @gpshead @yossarian my concern is that installing a PGP signed package on PyPI without verifying it is analogous to a safety feature of hazardous industrial plant that is routinely bypassed at the point of use because it isn't fit for purpose.
Bypassing safety features rather than "tagging out" plant from service and removing the feature is a failure of engineering ethics, because having users bypass safety features (who don't always have a minimum qualification) is a horrible precedent.
@Octarine @gpshead @yossarian OK, I have some sense of where you're coming from now, but I think you might have a distorted view of how PyPI integrated with GPG. People interested in actual safety here are using other solutions, doing things like pinning hashes and deterministic builds. The GPG stuff was never a safety feature, just a tacked-on afterthought intended to provide infrastructure for someone to *later* implement a safety feature. Nobody ever did, and now it's being removed.