Making it a requirement of using something commercially would add a lot of trans... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		XorNot on May 21, 2023 \| parent \| context \| favorite \| on: PGP signatures on PyPI: worse than useless Making it a requirement of using something commercially would add a lot of transparency though. The concept of "software bill of materials" has increased interest now, and this would be a part of it: if you're using something then you sign it and publish the signature which then declares an acknowledgment that it was reviewed in some way.

chha on May 21, 2023 [–]

Absolutely, but I fear such a solution would lead to a lot of people signing just to be compliant, not beacause they did a thourough job reviewing. If we could connect it to a reputation somehow, it might have something going for it

XorNot on May 21, 2023 | [–]

Sure but that's the second part - trust and reputation.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact