Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.maint.python > #16328

Re: Alternative signature mechanisms for upstream source verification

From Simon Josefsson <simon@josefsson.org>
Newsgroups linux.debian.devel, linux.debian.maint.python, linux.debian.maint.dpkg
Subject Re: Alternative signature mechanisms for upstream source verification
Date 2024-10-05 12:40 +0200
Message-ID <JuamB-h549-5@gated-at.bofh.it> (permalink)
References (1 earlier) <JswUh-g2I4-11@gated-at.bofh.it> <JswUh-g2I4-9@gated-at.bofh.it> <JtvW9-gG49-3@gated-at.bofh.it> <JtyKl-gHL8-7@gated-at.bofh.it> <JtVdU-gVnJ-5@gated-at.bofh.it>
Organization linux.* mail to news gateway

Cross-posted to 3 groups.

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Stefano Rivera <stefanor@debian.org> writes:

> Should we expand this to include some of these new mechanisms?
> Things brought up in the debian-python thread include:
> 1. sigstore https://docs.sigstore.dev/
> 2. ssh signatures
> 3. signify https://man.openbsd.org/signify.1

+1

I believe all signatures we trust should be encoded in a non-mutable
transparency log like Sigstore/Sigsum etc.  But the first step towards
that is to add support for verifying that property.

> There is a general trend towards getting upstream sources from Git
> rather than tarballs in Debian, but we're a long way from moving across
> completely, or even finding consensus to do so.
> These signature mechanisms can generally be applied to git commits as
> well as tarballs.

Signatures of git commits is the same as a signature on a SHA1 object
which is broken for authentication purposes.  But it is possible to
discuss these issues separately, paving the way for git commit signing
to be trustworthy when GitHub/GitLab moves to SHA256.

/Simon

Back to linux.debian.maint.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

python devs are planning to stop signing with gpg Salvo Tomaselli <ltworf@debian.org> - 2024-09-30 23:50 +0200
  Re: python devs are planning to stop signing with gpg Salvo Tomaselli <ltworf@debian.org> - 2024-10-01 00:20 +0200
    Re: python devs are planning to stop signing with gpg Brian May <bam@debian.org> - 2024-10-01 02:00 +0200
    Re: python devs are planning to stop signing with gpg Stefano Rivera <stefanor@debian.org> - 2024-10-03 17:30 +0200
      Re: python devs are planning to stop signing with gpg Louis-Philippe Véronneau <pollo@debian.org> - 2024-10-03 20:30 +0200
        Re: python devs are planning to stop signing with gpg Jeremy Stanley <fungi@yuggoth.org> - 2024-10-03 22:30 +0200
        Alternative signature mechanisms for upstream source verification Stefano Rivera <stefanor@debian.org> - 2024-10-04 20:30 +0200
          Re: Alternative signature mechanisms for upstream source  verification Mathias Behrle <mbehrle@debian.org> - 2024-10-04 21:30 +0200
          Re: Alternative signature mechanisms for upstream source verification Guillem Jover <guillem@debian.org> - 2024-10-05 03:40 +0200
            Re: Alternative signature mechanisms for upstream source verification Stefano Rivera <stefanor@debian.org> - 2024-10-05 06:10 +0200
            Re: Alternative signature mechanisms for upstream source verification Martin <debacle@debian.org> - 2024-10-05 10:30 +0200
          Re: Alternative signature mechanisms for upstream source verification Simon Josefsson <simon@josefsson.org> - 2024-10-05 12:40 +0200
  Re: python devs are planning to stop signing with gpg Brian May <bam@debian.org> - 2024-10-01 00:30 +0200

csiph-web