Path: csiph.com!news.samoylyk.net!gothmog.csi.it!bofh.it!news.nic.it!robomod
From: Stefano Rivera <stefanor@debian.org>
Newsgroups: linux.debian.maint.python
Subject: Re: python devs are planning to stop signing with gpg
Date: Thu, 03 Oct 2024 17:30:01 +0200
Message-ID: <JtvW9-gG49-3@gated-at.bofh.it>
References: <Jswrf-g28h-7@gated-at.bofh.it> <JswUh-g2I4-11@gated-at.bofh.it> <JswUh-g2I4-9@gated-at.bofh.it>
X-Mailbox-Line: From debian-python-request@lists.debian.org  Thu Oct  3 15:29:30 2024
Old-Return-Path: <stefano@rivera.za.net>
X-Amavis-Spam-Status: No, score=-106.862 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.249, LDO_WHITELIST=-5, USER_IN_DKIM_WELCOMELIST=-0.01, USER_IN_DKIM_WHITELIST=-100] autolearn=ham autolearn_force=no
X-Policyd-Weight: NOT_IN_SBL_XBL_SPAMHAUS=-1.5 CL_IP_EQ_FROM_MX=-3.1; rate: -4.6
Mail-Followup-To: Salvo Tomaselli <ltworf@debian.org>, debian-python@lists.debian.org, Brian May <bam@debian.org>
X-Gpg-Public-Key: http://www.rivera.za.net/stefano.gpg
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
User-Agent: NeoMutt/20220429
X-Mailing-List: <debian-python@lists.debian.org> archive/latest/22375
List-ID: <debian-python.lists.debian.org>
List-URL: <https://lists.debian.org/debian-python/>
List-Archive: https://lists.debian.org/msgid-search/20241003152912.7wwrsuxezwg3kaoj@satie.tumbleweed.org.za
Approved: robomod@news.nic.it
Lines: 35
Organization: linux.* mail to news gateway
Sender: robomod@news.nic.it
X-Original-Cc: debian-python@lists.debian.org, Brian May <bam@debian.org>
X-Original-Date: Thu, 3 Oct 2024 15:29:12 +0000
X-Original-Message-ID: <20241003152912.7wwrsuxezwg3kaoj@satie.tumbleweed.org.za>
X-Original-References: <14198883.O9o76ZdvQC@galatea> <87bk04sslp.fsf@debian.org> <4017015.ElGaqSPkdT@galatea>
Xref: csiph.com linux.debian.maint.python:16314

Hi Salvo (2024.09.30_22:15:34_+0000)
> > In what wee is this going to affect Debian? Do we actually verify GPG
> > signatures for upstream sources?
>=20
> It seems we do not!

Fixed.

> > Is there any other reason I am not aware of why sigstore is a bad
> > solution?
>=20
> sigstore is 3rd party signing. You no longer keep the private key yoursel=
f.=20
> You keep your password/token/whatever to sigstore and they sign your file=
s.

=46rom a quick read of the docs: I think ephemeral keys are used (or can
be?) but the signature is recorded into their CT log, with your account.
That's the bit signed by their key.

> And you hope they'll still be online and secure in the future when you wi=
ll=20
> decide to check a signature.

I see an offline mode is supported.

We should figure out what it would take to support sigstore in Debian
source packages, assuming there is more adoption.

Stefano

--=20
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272