[issue37967] Beta GPG signature check failing
Trishank Kuppusamy
report at bugs.python.org
Thu Sep 12 13:36:09 EDT 2019
Trishank Kuppusamy <trishank.kuppusamy at datadoghq.com> added the comment:
The problem with not authoritatively publishing one or more public keys for the Python tarballs is that no one will know for sure which key to trust. If you naively download the public key associated with a malicious tarball, you would trust it w/o realizing that it's malicious (assuming that the tarball developers themselves have not gone rogue).
I strongly urge the Python developers to use at least one official GPG key to sign all tarballs, and publish that on its web site (perhaps indirectly using Keybase).
----------
nosy: +Trishank Kuppusamy
_______________________________________
Python tracker <report at bugs.python.org>
<https://bugs.python.org/issue37967>
_______________________________________
More information about the Python-bugs-list
mailing list