Holger Levsen <holger@layer-acht.org> writes: > On Sat, Nov 01, 2025 at 09:08:34PM +0100, Philipp Kern wrote: >> I was actually looking into this recently, but Sigstore is also in flux >> right now: > > my gut feeling is that sigsum is better suited for this than sigstore but > maybe my guts are wrong here... There is no reason (beyond complexity, which is a reasonable concern) to not support both Sigstore and Sigsum, I think. Even adding support for SSHSIG would be reasonable, to have an alternative to mess that PGP has become. I think supporting multiple ways to verify Release files may actually be useful -- I think it will be many years (if ever) Rust is as reliable on as many archs as C or even Perl/Python is today. We want some way to verify Release files on archs that haven't drunk the Rust cool-aid. /Simon
Attachment:
signature.asc
Description: PGP signature