Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.python > #16314

Re: python devs are planning to stop signing with gpg

From Stefano Rivera <stefanor@debian.org>
Newsgroups linux.debian.maint.python
Subject Re: python devs are planning to stop signing with gpg
Date 2024-10-03 17:30 +0200
Message-ID <JtvW9-gG49-3@gated-at.bofh.it> (permalink)
References <Jswrf-g28h-7@gated-at.bofh.it> <JswUh-g2I4-11@gated-at.bofh.it> <JswUh-g2I4-9@gated-at.bofh.it>
Organization linux.* mail to news gateway

Show all headers | View raw

Hi Salvo (2024.09.30_22:15:34_+0000)
> > In what wee is this going to affect Debian? Do we actually verify GPG
> > signatures for upstream sources?
> 
> It seems we do not!

Fixed.

> > Is there any other reason I am not aware of why sigstore is a bad
> > solution?
> 
> sigstore is 3rd party signing. You no longer keep the private key yourself. 
> You keep your password/token/whatever to sigstore and they sign your files.

From a quick read of the docs: I think ephemeral keys are used (or can
be?) but the signature is recorded into their CT log, with your account.
That's the bit signed by their key.

> And you hope they'll still be online and secure in the future when you will 
> decide to check a signature.

I see an offline mode is supported.

We should figure out what it would take to support sigstore in Debian
source packages, assuming there is more adoption.

Stefano

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Back to linux.debian.maint.python | Previous | NextPrevious in thread | Next in thread | Find similar

Thread

python devs are planning to stop signing with gpg Salvo Tomaselli <ltworf@debian.org> - 2024-09-30 23:50 +0200
  Re: python devs are planning to stop signing with gpg Salvo Tomaselli <ltworf@debian.org> - 2024-10-01 00:20 +0200
    Re: python devs are planning to stop signing with gpg Brian May <bam@debian.org> - 2024-10-01 02:00 +0200
    Re: python devs are planning to stop signing with gpg Stefano Rivera <stefanor@debian.org> - 2024-10-03 17:30 +0200
      Re: python devs are planning to stop signing with gpg Louis-Philippe VĂ©ronneau <pollo@debian.org> - 2024-10-03 20:30 +0200
        Re: python devs are planning to stop signing with gpg Jeremy Stanley <fungi@yuggoth.org> - 2024-10-03 22:30 +0200
        Alternative signature mechanisms for upstream source verification Stefano Rivera <stefanor@debian.org> - 2024-10-04 20:30 +0200
          Re: Alternative signature mechanisms for upstream source  verification Mathias Behrle <mbehrle@debian.org> - 2024-10-04 21:30 +0200
          Re: Alternative signature mechanisms for upstream source verification Guillem Jover <guillem@debian.org> - 2024-10-05 03:40 +0200
            Re: Alternative signature mechanisms for upstream source verification Stefano Rivera <stefanor@debian.org> - 2024-10-05 06:10 +0200
            Re: Alternative signature mechanisms for upstream source verification Martin <debacle@debian.org> - 2024-10-05 10:30 +0200
          Re: Alternative signature mechanisms for upstream source verification Simon Josefsson <simon@josefsson.org> - 2024-10-05 12:40 +0200
  Re: python devs are planning to stop signing with gpg Brian May <bam@debian.org> - 2024-10-01 00:30 +0200

csiph-web