This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author Trishank Kuppusamy
Recipients Trishank Kuppusamy, christian.heimes, lkollar, lukasz.langa, mattip, ned.deily
Date 2019-09-12.17:36:08
SpamBayes Score -1.0
Marked as misclassified Yes
Message-id <1568309769.09.0.714629631453.issue37967@roundup.psfhosted.org>
In-reply-to
Content
The problem with not authoritatively publishing one or more public keys for the Python tarballs is that no one will know for sure which key to trust. If you naively download the public key associated with a malicious tarball, you would trust it w/o realizing that it's malicious (assuming that the tarball developers themselves have not gone rogue).

I strongly urge the Python developers to use at least one official GPG key to sign all tarballs, and publish that on its web site (perhaps indirectly using Keybase).
History
Date User Action Args
2019-09-12 17:36:09Trishank Kuppusamysetrecipients: + Trishank Kuppusamy, christian.heimes, ned.deily, lukasz.langa, mattip, lkollar
2019-09-12 17:36:09Trishank Kuppusamysetmessageid: <1568309769.09.0.714629631453.issue37967@roundup.psfhosted.org>
2019-09-12 17:36:09Trishank Kuppusamylinkissue37967 messages
2019-09-12 17:36:08Trishank Kuppusamycreate