Message352219
The problem with not authoritatively publishing one or more public keys for the Python tarballs is that no one will know for sure which key to trust. If you naively download the public key associated with a malicious tarball, you would trust it w/o realizing that it's malicious (assuming that the tarball developers themselves have not gone rogue).
I strongly urge the Python developers to use at least one official GPG key to sign all tarballs, and publish that on its web site (perhaps indirectly using Keybase). |
|
Date |
User |
Action |
Args |
2019-09-12 17:36:09 | Trishank Kuppusamy | set | recipients:
+ Trishank Kuppusamy, christian.heimes, ned.deily, lukasz.langa, mattip, lkollar |
2019-09-12 17:36:09 | Trishank Kuppusamy | set | messageid: <1568309769.09.0.714629631453.issue37967@roundup.psfhosted.org> |
2019-09-12 17:36:09 | Trishank Kuppusamy | link | issue37967 messages |
2019-09-12 17:36:08 | Trishank Kuppusamy | create | |
|