yossarian (1.3.6.1.4.1.55738)PGP signatures on PyPI: worse than useless
https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI-worse-than-useless
Gregory P. Smith (he/him) 
π²π¦ 
@yossarian
PGP signatures: worse than useless.
There, I fixed it for you.
As tools GPG (and PGP) are simply unusable by anyone but fastidious zealot pedants. And thus always used wrong.
Kushal Das 
πΈπͺ@gpshead @yossarian @glyph I still have hope to fix the usability of tools/services in future. I know most of my friends totally lost all hope :)
Glyph@kushal @gpshead @yossarian the world needs more good signing and security tools, but the sooner you abandon GPG (and OpenPGP more broadly) the sooner you can start building those ;-). There's really nothing worth salvaging here.
@glyph @gpshead @yossarian I beg to differ on that point. @[email protected] & I are building https://tumpa.rocks/
Here is an example where we can have better UX focused tools in the #OpenPGP land.
Mark Eichin@kushal @eichin I am seriously curious though: what about your problem domain makes GnuPG a desirable component? Why not throw its broken overcomplexity in the trash, define what you want your app to do in terms of user security guarantees, and then build it on top of a good backend or a novel cryptographic construction instead? I know "roll your own crypto" is bad, but it's a cut above "wrap gnupg"
@glyph @[email protected] Something that works for both encryption & signing. Bonus is that I can use the same for my ssh. Works out of my Yubikey, means no secret on disk. My mutt setup mostly works :)
I can see the pain points and hoping to improve them by creating newer things with usability in mind.
On the software side, most of the applications I install separately uses OpenPGP to sign the artifacts, including @fedora and also #debian.