Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.python > #16308
| From | Salvo Tomaselli <ltworf@debian.org> |
|---|---|
| Newsgroups | linux.debian.maint.python |
| Subject | Re: python devs are planning to stop signing with gpg |
| Date | 2024-10-01 00:20 +0200 |
| Message-ID | <JswUh-g2I4-9@gated-at.bofh.it> (permalink) |
| References | <Jswrf-g28h-7@gated-at.bofh.it> <JswUh-g2I4-11@gated-at.bofh.it> |
| Organization | debian |
[Multipart message — attachments visible in raw view] - view raw
In data martedì 1 ottobre 2024 00:07:46 CEST, Brian May ha scritto:
> Salvo Tomaselli <ltworf@debian.org> writes:
> > I just saw this conversation
> >
> > https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatu
> > res-for-cpython-artifacts/65058
> >
> > Perhaps someone more expert than me at not making flamewars would like to
> > intervene?
>
> In what wee is this going to affect Debian? Do we actually verify GPG
> signatures for upstream sources?
It seems we do not! There should be a file called
debian/upstream/signing-key.asc
that contains the public key. That's used automatically by uscan when getting
a new version.
> Is there any other reason I am not aware of why sigstore is a bad
> solution?
sigstore is 3rd party signing. You no longer keep the private key yourself.
You keep your password/token/whatever to sigstore and they sign your files.
And you hope they'll still be online and secure in the future when you will
decide to check a signature.
> Somebody needs to post the answers to questions like these to the
> discussion thread.
On that thread they say that it is possible to verify signatures offline. But
the checker seems to need a number of dependencies.
--
Salvo Tomaselli
"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di
senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
-- Galileo Galilei
https://ltworf.codeberg.page/
Back to linux.debian.maint.python | Previous | Next — Previous in thread | Next in thread | Find similar
python devs are planning to stop signing with gpg Salvo Tomaselli <ltworf@debian.org> - 2024-09-30 23:50 +0200
Re: python devs are planning to stop signing with gpg Salvo Tomaselli <ltworf@debian.org> - 2024-10-01 00:20 +0200
Re: python devs are planning to stop signing with gpg Brian May <bam@debian.org> - 2024-10-01 02:00 +0200
Re: python devs are planning to stop signing with gpg Stefano Rivera <stefanor@debian.org> - 2024-10-03 17:30 +0200
Re: python devs are planning to stop signing with gpg Louis-Philippe Véronneau <pollo@debian.org> - 2024-10-03 20:30 +0200
Re: python devs are planning to stop signing with gpg Jeremy Stanley <fungi@yuggoth.org> - 2024-10-03 22:30 +0200
Alternative signature mechanisms for upstream source verification Stefano Rivera <stefanor@debian.org> - 2024-10-04 20:30 +0200
Re: Alternative signature mechanisms for upstream source verification Mathias Behrle <mbehrle@debian.org> - 2024-10-04 21:30 +0200
Re: Alternative signature mechanisms for upstream source verification Guillem Jover <guillem@debian.org> - 2024-10-05 03:40 +0200
Re: Alternative signature mechanisms for upstream source verification Stefano Rivera <stefanor@debian.org> - 2024-10-05 06:10 +0200
Re: Alternative signature mechanisms for upstream source verification Martin <debacle@debian.org> - 2024-10-05 10:30 +0200
Re: Alternative signature mechanisms for upstream source verification Simon Josefsson <simon@josefsson.org> - 2024-10-05 12:40 +0200
Re: python devs are planning to stop signing with gpg Brian May <bam@debian.org> - 2024-10-01 00:30 +0200
csiph-web