yossarian (1.3.6.1.4.1.55738)PGP signatures on PyPI: worse than useless
https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI-worse-than-useless
Gregory P. Smith (he/him) 
🚲🦝 
@yossarian
PGP signatures: worse than useless.
There, I fixed it for you.
As tools GPG (and PGP) are simply unusable by anyone but fastidious zealot pedants. And thus always used wrong.
8@gpshead @yossarian @glyph this take always makes me imagine a civil engineer standing next to wet concrete, checking her watch and muttering "nobody has time for this shit"
Glyph@glyph @gpshead @yossarian after writing and deleting a few pithy but vague drafts, the point I would like to reach is about engineering ethics. Big blocks of the tech world are not commissioned safely, merely appropriated from the fastidious pedant community. That community is a Venn diagram of many circles most of which are not labelled "engineer" at all. PGP is not fit for purpose and yet I am using PYPI rather than tagging it out for my org until controls are in place. That gives me pause.
@Octarine @gpshead @yossarian sorry, I cannot parse this at all. PGP is not used for anything on PyPI, so I don’t see how it is related to your use of PyPI. I don’t know what “tagging it out” means. I don’t know what controls you’re referring to, or why you haven’t put them in place.
@glyph @gpshead @yossarian my concern is that installing a PGP signed package on PyPI without verifying it is analogous to a safety feature of hazardous industrial plant that is routinely bypassed at the point of use because it isn't fit for purpose.
Bypassing safety features rather than "tagging out" plant from service and removing the feature is a failure of engineering ethics, because having users bypass safety features (who don't always have a minimum qualification) is a horrible precedent.
@Octarine @gpshead @yossarian OK, I have some sense of where you're coming from now, but I think you might have a distorted view of how PyPI integrated with GPG. People interested in actual safety here are using other solutions, doing things like pinning hashes and deterministic builds. The GPG stuff was never a safety feature, just a tacked-on afterthought intended to provide infrastructure for someone to *later* implement a safety feature. Nobody ever did, and now it's being removed.