Groups | Search | Server Info | Login | Register
Groups > linux.debian.security > #6454
| From | Simon Josefsson <simon@josefsson.org> |
|---|---|
| Newsgroups | linux.debian.security |
| Subject | Re: Why Does Debian Use PGP to Sign Packages |
| Date | 2025-08-16 11:30 +0200 |
| Message-ID | <LkloB-8115-1@gated-at.bofh.it> (permalink) |
| References | <Lke3L-7W49-5@gated-at.bofh.it> |
| Organization | linux.* mail to news gateway |
[Multipart message — attachments visible in raw view] - view raw
fosres@posteo.de writes: > Hello All, > > In an earlier post I asked why Debian uses PGP to sign packages > despite its complexity. > > Some responded that Sequoia PGP simplifies the process. > > I now wish to ask why Debian uses PGP in general to sign packages when > there are alternatives such as SigStore. > > What were the unique benefits in PGP that could not be found in other > alternatives? It existed. Sigstore or other alternatives didn't, at the time. Sigstore and other transparency logs like Sigsum offers better security claims than PGP ever has, protecting against hidden releases. I wish there were pure C and Python verifiers available for Sigstore and Sigsum to further ease of use of these technologies. /Simon
Back to linux.debian.security | Previous | Next — Previous in thread | Next in thread | Find similar
Why Does Debian Use PGP to Sign Packages fosres@posteo.de - 2025-08-16 03:40 +0200
Re: Why Does Debian Use PGP to Sign Packages Jeffrey Walton <noloader@gmail.com> - 2025-08-16 11:20 +0200
Re: Why Does Debian Use PGP to Sign Packages Simon Josefsson <simon@josefsson.org> - 2025-08-16 11:40 +0200
Re: Why Does Debian Use PGP to Sign Packages Simon Josefsson <simon@josefsson.org> - 2025-08-16 11:30 +0200
Re: Why Does Debian Use PGP to Sign Packages kpcyrd <kpcyrd@archlinux.org> - 2025-08-16 16:30 +0200
csiph-web