Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.maint.python > #16328
| Path | csiph.com!fu-berlin.de!bofh.it!news.nic.it!robomod |
|---|---|
| From | Simon Josefsson <simon@josefsson.org> |
| Newsgroups | linux.debian.devel, linux.debian.maint.python, linux.debian.maint.dpkg |
| Subject | Re: Alternative signature mechanisms for upstream source verification |
| Date | Sat, 05 Oct 2024 12:40:01 +0200 |
| Message-ID | <JuamB-h549-5@gated-at.bofh.it> (permalink) |
| References | <Jswrf-g28h-7@gated-at.bofh.it> <JswUh-g2I4-11@gated-at.bofh.it> <JswUh-g2I4-9@gated-at.bofh.it> <JtvW9-gG49-3@gated-at.bofh.it> <JtyKl-gHL8-7@gated-at.bofh.it> <JtVdU-gVnJ-5@gated-at.bofh.it> |
| X-Original-To | debian-devel@lists.debian.org |
| X-Mailbox-Line | From debian-devel-request@lists.debian.org Sat Oct 5 10:37:33 2024 |
| Old-Return-Path | <simon@josefsson.org> |
| X-Amavis-Spam-Status | No, score=-12.9 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, LDO_WHITELIST=-5, PGPSIGNATURE=-5, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no |
| X-Policyd-Weight | using cached result; rate:hard: -4.6 |
| X-Greylist | delayed 321 seconds by postgrey-1.36 at bendel; Sat, 05 Oct 2024 10:36:54 UTC |
| Openpgp | id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt |
| X-Hashcash | 1:23:241005:debian-devel@lists.debian.org::m0KQFuGgjY5Myjwy:2whh |
| X-Hashcash | 1:23:241005:debian-dpkg@lists.debian.org::l6//RlVJ3Erplvju:CkXA |
| X-Hashcash | 1:23:241005:debian-python@lists.debian.org::32iDH0QiNpnz0FWF:WaIN |
| User-Agent | Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) |
| MIME-Version | 1.0 |
| Content-Type | multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" |
| X-Mailing-List | <debian-devel@lists.debian.org> archive/latest/362003 |
| List-ID | <debian-devel.lists.debian.org> |
| List-URL | <https://lists.debian.org/debian-devel/> |
| List-Archive | https://lists.debian.org/msgid-search/87ttdq3kgy.fsf@kaka.sjd.se |
| Approved | robomod@news.nic.it |
| Lines | 41 |
| Organization | linux.* mail to news gateway |
| Sender | robomod@news.nic.it |
| X-Original-Cc | debian-python@lists.debian.org, debian-dpkg@lists.debian.org |
| X-Original-Date | Sat, 05 Oct 2024 12:36:13 +0200 |
| X-Original-Message-ID | <87ttdq3kgy.fsf@kaka.sjd.se> |
| X-Original-References | <14198883.O9o76ZdvQC@galatea> <87bk04sslp.fsf@debian.org> <4017015.ElGaqSPkdT@galatea> <20241003152912.7wwrsuxezwg3kaoj@satie.tumbleweed.org.za> <c93cb2bd-ad10-439e-819b-0007bf60fadc@debian.org> <20241004182101.lnc5dqft4vurbcrh@satie.tumbleweed.org.za> |
| Xref | csiph.com linux.debian.devel:113582 linux.debian.maint.python:16328 linux.debian.maint.dpkg:12690 |
Cross-posted to 3 groups.
Show key headers only | View raw
[Multipart message — attachments visible in raw view] - view raw
Stefano Rivera <stefanor@debian.org> writes: > Should we expand this to include some of these new mechanisms? > Things brought up in the debian-python thread include: > 1. sigstore https://docs.sigstore.dev/ > 2. ssh signatures > 3. signify https://man.openbsd.org/signify.1 +1 I believe all signatures we trust should be encoded in a non-mutable transparency log like Sigstore/Sigsum etc. But the first step towards that is to add support for verifying that property. > There is a general trend towards getting upstream sources from Git > rather than tarballs in Debian, but we're a long way from moving across > completely, or even finding consensus to do so. > These signature mechanisms can generally be applied to git commits as > well as tarballs. Signatures of git commits is the same as a signature on a SHA1 object which is broken for authentication purposes. But it is possible to discuss these issues separately, paving the way for git commit signing to be trustworthy when GitHub/GitLab moves to SHA256. /Simon
Back to linux.debian.maint.python | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread
python devs are planning to stop signing with gpg Salvo Tomaselli <ltworf@debian.org> - 2024-09-30 23:50 +0200
Re: python devs are planning to stop signing with gpg Salvo Tomaselli <ltworf@debian.org> - 2024-10-01 00:20 +0200
Re: python devs are planning to stop signing with gpg Brian May <bam@debian.org> - 2024-10-01 02:00 +0200
Re: python devs are planning to stop signing with gpg Stefano Rivera <stefanor@debian.org> - 2024-10-03 17:30 +0200
Re: python devs are planning to stop signing with gpg Louis-Philippe Véronneau <pollo@debian.org> - 2024-10-03 20:30 +0200
Re: python devs are planning to stop signing with gpg Jeremy Stanley <fungi@yuggoth.org> - 2024-10-03 22:30 +0200
Alternative signature mechanisms for upstream source verification Stefano Rivera <stefanor@debian.org> - 2024-10-04 20:30 +0200
Re: Alternative signature mechanisms for upstream source verification Mathias Behrle <mbehrle@debian.org> - 2024-10-04 21:30 +0200
Re: Alternative signature mechanisms for upstream source verification Guillem Jover <guillem@debian.org> - 2024-10-05 03:40 +0200
Re: Alternative signature mechanisms for upstream source verification Stefano Rivera <stefanor@debian.org> - 2024-10-05 06:10 +0200
Re: Alternative signature mechanisms for upstream source verification Martin <debacle@debian.org> - 2024-10-05 10:30 +0200
Re: Alternative signature mechanisms for upstream source verification Simon Josefsson <simon@josefsson.org> - 2024-10-05 12:40 +0200
Re: python devs are planning to stop signing with gpg Brian May <bam@debian.org> - 2024-10-01 00:30 +0200
csiph-web