On May 12, 2016, at 04:34 PM, Donald Stufft wrote:
So my response to this is, let's pretend for a minute that we have the greatest and most amazing setup for verifying that the key 0x6E3CBCE93372DCFA belongs to me. What's your next step? How do you verify that I'm allowed to release for pip?
I'd hope that the project home page would say that. I sheepishly admit that we don't have that information on the Mailman home page, but you *could* follow the link from me (described as the lead developer) to my own home page and then grab the key from there, verified from keybase.io.
What happens if tomorrow I decide I'm no longer going to use key 0x6E3CBCE93372DCFA because it got compromised (remembering that key revocation is hilariously broken [1]). What if we add a new signing key because I'm tired of releasing pip and someone else is going to take over, what path is Debian going to take for verifying that some new key is allowed to sign for it that doesn't put "Whatever PyPI says" in the path of trust?
uscan would complain and then I'd have to try to figure out the new signing credentials. It's not wonderful, but for platform and package maintainers who care, I think it does provide value, and the signing credentials likely don't change that often. Cheers, -Barry