Path: csiph.com!fu-berlin.de!bofh.it!news.nic.it!robomod From: Simon Josefsson Newsgroups: linux.debian.devel,linux.debian.maint.python,linux.debian.maint.dpkg Subject: Re: Alternative signature mechanisms for upstream source verification Date: Sat, 05 Oct 2024 12:40:01 +0200 Message-ID: References: X-Original-To: debian-devel@lists.debian.org X-Mailbox-Line: From debian-devel-request@lists.debian.org Sat Oct 5 10:37:33 2024 Old-Return-Path: X-Amavis-Spam-Status: No, score=-12.9 tagged_above=-10000 required=5.3 tests=[BAYES_00=-2, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, LDO_WHITELIST=-5, PGPSIGNATURE=-5, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no X-Policyd-Weight: using cached result; rate:hard: -4.6 X-Greylist: delayed 321 seconds by postgrey-1.36 at bendel; Sat, 05 Oct 2024 10:36:54 UTC Openpgp: id=B1D2BD1375BECB784CF4F8C4D73CF638C53C06BE; url=https://josefsson.org/key-20190320.txt X-Hashcash: 1:23:241005:debian-devel@lists.debian.org::m0KQFuGgjY5Myjwy:2whh X-Hashcash: 1:23:241005:debian-dpkg@lists.debian.org::l6//RlVJ3Erplvju:CkXA X-Hashcash: 1:23:241005:debian-python@lists.debian.org::32iDH0QiNpnz0FWF:WaIN User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" X-Mailing-List: archive/latest/362003 List-ID: List-URL: List-Archive: https://lists.debian.org/msgid-search/87ttdq3kgy.fsf@kaka.sjd.se Approved: robomod@news.nic.it Lines: 41 Organization: linux.* mail to news gateway Sender: robomod@news.nic.it X-Original-Cc: debian-python@lists.debian.org, debian-dpkg@lists.debian.org X-Original-Date: Sat, 05 Oct 2024 12:36:13 +0200 X-Original-Message-ID: <87ttdq3kgy.fsf@kaka.sjd.se> X-Original-References: <14198883.O9o76ZdvQC@galatea> <87bk04sslp.fsf@debian.org> <4017015.ElGaqSPkdT@galatea> <20241003152912.7wwrsuxezwg3kaoj@satie.tumbleweed.org.za> <20241004182101.lnc5dqft4vurbcrh@satie.tumbleweed.org.za> Xref: csiph.com linux.debian.devel:113582 linux.debian.maint.python:16328 linux.debian.maint.dpkg:12690 --=-=-= Content-Type: text/plain Stefano Rivera writes: > Should we expand this to include some of these new mechanisms? > Things brought up in the debian-python thread include: > 1. sigstore https://docs.sigstore.dev/ > 2. ssh signatures > 3. signify https://man.openbsd.org/signify.1 +1 I believe all signatures we trust should be encoded in a non-mutable transparency log like Sigstore/Sigsum etc. But the first step towards that is to add support for verifying that property. > There is a general trend towards getting upstream sources from Git > rather than tarballs in Debian, but we're a long way from moving across > completely, or even finding consensus to do so. > These signature mechanisms can generally be applied to git commits as > well as tarballs. Signatures of git commits is the same as a signature on a SHA1 object which is broken for authentication purposes. But it is possible to discuss these issues separately, paving the way for git commit signing to be trustworthy when GitHub/GitLab moves to SHA256. /Simon --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iIoEARYIADIWIQSjzJyHC50xCrrUzy9RcisI/kdFogUCZwEWnRQcc2ltb25Aam9z ZWZzc29uLm9yZwAKCRBRcisI/kdFoiJzAQCiA63P/cLfQZKPpjVnAYhNfBTNX52l hEWyk7krfYlWWQEArjo1j/4/yWdL48UlmgvWMLaotP8eStD9+AP3Bzu5agk= =8MHr -----END PGP SIGNATURE----- --=-=-=--