I'm using the Python Package Manager (PyPi) since a very long time and I couldn't help but notice that package signing feature isn't there at all (According to this reddit thread, it used to be there many years ago but they removed it sometime back for some unknown reasons).
That means, if I install some package by running
pip install xyz, there is no way for me to ensure whether its the same one uploaded by the author of that package. Which means that if the PyPI server got compromised any time in the future, millions of users could be affected because of this, not just one or two.
I've authored and published several packages on PyPi myself and hence, this makes me concerned. There is no way to upload the GPG signature file of my package anywhere, nor does
pip check the GPG signatures. So the user who installs my package has no way of knowing that it was me who uploaded it there.
This is a serious security concern and I hope the Python team comes up with some kind of solution soon.
I’ve sent a message to my family and delegated my open source projects to my friends. With my last tweet sent, I turn off my laptop, phone, and tablet. My Digital Sabbath begins in 10 minutes: no digital devices for the next month.