Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.python > #16314
| Path | csiph.com!news.samoylyk.net!gothmog.csi.it!bofh.it!news.nic.it!robomod |
|---|---|
| From | Stefano Rivera <stefanor@debian.org> |
| Newsgroups | linux.debian.maint.python |
| Subject | Re: python devs are planning to stop signing with gpg |
| Date | Thu, 03 Oct 2024 17:30:01 +0200 |
| Message-ID | <JtvW9-gG49-3@gated-at.bofh.it> (permalink) |
| References | <Jswrf-g28h-7@gated-at.bofh.it> <JswUh-g2I4-11@gated-at.bofh.it> <JswUh-g2I4-9@gated-at.bofh.it> |
| X-Mailbox-Line | From debian-python-request@lists.debian.org Thu Oct 3 15:29:30 2024 |
| Old-Return-Path | <stefano@rivera.za.net> |
| X-Amavis-Spam-Status | No, score=-106.862 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, LDO_WHITELIST=-5, USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100] autolearn=ham autolearn_force=no |
| X-Policyd-Weight | NOT_IN_SBL_XBL_SPAMHAUS=-1.5 CL_IP_EQ_FROM_MX=-3.1; rate: -4.6 |
| Mail-Followup-To | Salvo Tomaselli <ltworf@debian.org>, debian-python@lists.debian.org, Brian May <bam@debian.org> |
| X-Gpg-Public-Key | http://www.rivera.za.net/stefano.gpg |
| MIME-Version | 1.0 |
| Content-Type | text/plain; charset=utf-8 |
| Content-Disposition | inline |
| Content-Transfer-Encoding | quoted-printable |
| User-Agent | NeoMutt/20220429 |
| X-Mailing-List | <debian-python@lists.debian.org> archive/latest/22375 |
| List-ID | <debian-python.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-python/> |
| List-Archive | https://lists.debian.org/msgid-search/20241003152912.7wwrsuxezwg3kaoj@satie.tumbleweed.org.za |
| Approved | robomod@news.nic.it |
| Lines | 35 |
| Organization | linux.* mail to news gateway |
| Sender | robomod@news.nic.it |
| X-Original-Cc | debian-python@lists.debian.org, Brian May <bam@debian.org> |
| X-Original-Date | Thu, 3 Oct 2024 15:29:12 +0000 |
| X-Original-Message-ID | <20241003152912.7wwrsuxezwg3kaoj@satie.tumbleweed.org.za> |
| X-Original-References | <14198883.O9o76ZdvQC@galatea> <87bk04sslp.fsf@debian.org> <4017015.ElGaqSPkdT@galatea> |
| Xref | csiph.com linux.debian.maint.python:16314 |
Show key headers only | View raw
Hi Salvo (2024.09.30_22:15:34_+0000) > > In what wee is this going to affect Debian? Do we actually verify GPG > > signatures for upstream sources? > > It seems we do not! Fixed. > > Is there any other reason I am not aware of why sigstore is a bad > > solution? > > sigstore is 3rd party signing. You no longer keep the private key yourself. > You keep your password/token/whatever to sigstore and they sign your files. From a quick read of the docs: I think ephemeral keys are used (or can be?) but the signature is recorded into their CT log, with your account. That's the bit signed by their key. > And you hope they'll still be online and secure in the future when you will > decide to check a signature. I see an offline mode is supported. We should figure out what it would take to support sigstore in Debian source packages, assuming there is more adoption. Stefano -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272
Back to linux.debian.maint.python | Previous | Next — Previous in thread | Next in thread | Find similar
python devs are planning to stop signing with gpg Salvo Tomaselli <ltworf@debian.org> - 2024-09-30 23:50 +0200
Re: python devs are planning to stop signing with gpg Salvo Tomaselli <ltworf@debian.org> - 2024-10-01 00:20 +0200
Re: python devs are planning to stop signing with gpg Brian May <bam@debian.org> - 2024-10-01 02:00 +0200
Re: python devs are planning to stop signing with gpg Stefano Rivera <stefanor@debian.org> - 2024-10-03 17:30 +0200
Re: python devs are planning to stop signing with gpg Louis-Philippe VĂ©ronneau <pollo@debian.org> - 2024-10-03 20:30 +0200
Re: python devs are planning to stop signing with gpg Jeremy Stanley <fungi@yuggoth.org> - 2024-10-03 22:30 +0200
Alternative signature mechanisms for upstream source verification Stefano Rivera <stefanor@debian.org> - 2024-10-04 20:30 +0200
Re: Alternative signature mechanisms for upstream source verification Mathias Behrle <mbehrle@debian.org> - 2024-10-04 21:30 +0200
Re: Alternative signature mechanisms for upstream source verification Guillem Jover <guillem@debian.org> - 2024-10-05 03:40 +0200
Re: Alternative signature mechanisms for upstream source verification Stefano Rivera <stefanor@debian.org> - 2024-10-05 06:10 +0200
Re: Alternative signature mechanisms for upstream source verification Martin <debacle@debian.org> - 2024-10-05 10:30 +0200
Re: Alternative signature mechanisms for upstream source verification Simon Josefsson <simon@josefsson.org> - 2024-10-05 12:40 +0200
Re: python devs are planning to stop signing with gpg Brian May <bam@debian.org> - 2024-10-01 00:30 +0200
csiph-web