fsebugoutzone.org:9999

       Post AVyH7Zuc2ReJmW221A by eternaltyro@mastodon.social
 (DIR) More posts by eternaltyro@mastodon.social
 (DIR) Post #AVxvSmbvp2EMFu03zE by misty@digipres.club
       2023-05-24T02:09:40Z
       
       0 likes, 0 repeats
       
       Good read here on OpenPGP in the PyPI ecosystem. The takeaway is that things aren&#39;t looking good. https://blog.yossarian.net/2023/05/21/PGP-signatures-on-PyPI-worse-than-useless
       
 (DIR) Post #AVxvl5squ9A9F3e6RE by SnoopJ@hachyderm.io
       2023-05-24T02:12:59Z
       
       0 likes, 0 repeats
       
       @misty and the chaser that goes with this shot: https://blog.pypi.org/posts/2023-05-23-removing-pgp/
       
 (DIR) Post #AVxvnyc2OZ4TYk9ha4 by misty@digipres.club
       2023-05-24T02:13:23Z
       
       0 likes, 0 repeats
       
       A few people have pointed out that in response, PyPI are removing PGP support: https://blog.pypi.org/posts/2023-05-23-removing-pgp/
       
 (DIR) Post #AVy5O9V2IHYlKzCmhc by jokeyrhyme@aus.social
       2023-05-24T04:00:52Z
       
       0 likes, 0 repeats
       
       @misty I&#39;ve always found the major keyservers to be woefully under-provisioned and thus painfully-slow to work withThe major source code hubs do offer public key hosting, which is sort of neat, e.g.- https://gitlab.com/jokeyrhyme.gpg- https://github.com/jokeyrhyme.gpg(because this at least proves that you control said account there)I&#39;ve also noticed that both GitLab and GitHub recently started recognising SSH signatures on commits rather than just GPG signatures: https://docs.github.com/en/authentication/managing-commit-signature-verification/about-commit-signature-verificationI wonder if package repositories like pypi/npm/crates/gems/etc likewise ought to embrace SSH signatures?
       
 (DIR) Post #AVy8DLYpPUbTQCWBdY by savanni@anarchism.space
       2023-05-24T04:32:31Z
       
       0 likes, 0 repeats
       
       @misty i haven&#39;t looked into this in years, but is there a good way to set up encrypted communication between two individuals, gpg style, without being so hostile to users?
       
 (DIR) Post #AVyH7Zuc2ReJmW221A by eternaltyro@mastodon.social
       2023-05-24T06:12:19Z
       
       0 likes, 0 repeats
       
       @misty are alt tech like Sigstore and Cosign the alternative? #X509 instead of #PGP for provenance attestations?Email providers like @protonmail  try to make it easier to use PGP and partially fix the problem of bad defaults but end up creating walled gardens that eventually lock people in.But I don&#39;t agree with the point that email should be considered hopelessly insecure. We can still work on better  protocols for secure-by-default architecture even for federated comms tech like email.