ewdurbin's comments

ewdurbin | 2 years ago | on: PyPI Was Subpoenaed

I took a report down within 3 minutes of upload today. We have regularly received comments from our 3rd-party reporters that we are the most responsive.

You are wrong.

ewdurbin | 2 years ago | on: PyPI Was Subpoenaed

This assumes that all of this is binary, when in reality it’s a complex system that takes time and effort to modify in a meaningful and responsible way.

ewdurbin | 2 years ago | on: PyPI Was Subpoenaed

no. they wanted the downloads by randoms. we don’t store those with IPs

ewdurbin | 2 years ago | on: PGP signatures on PyPI: worse than useless

Python release files have been signed with sigstore for the last couple versions. You can peruse the release tooling that uses it at https://github.com/python/release-tools

ewdurbin | 2 years ago | on: PyPI new user and new project registrations temporarily suspended

there are no plans to limit trusted publishers. in fact there is another in the works: https://github.com/pypi/warehouse/issues/13551