In data martedì 1 ottobre 2024 00:07:46 CEST, Brian May ha scritto:
> Salvo Tomaselli <ltworf@debian.org> writes:
> > I just saw this conversation
> >
> > https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatu
> > res-for-cpython-artifacts/65058
> >
> > Perhaps someone more expert than me at not making flamewars would like to
> > intervene?
>
> In what wee is this going to affect Debian? Do we actually verify GPG
> signatures for upstream sources?
It seems we do not! There should be a file called
debian/upstream/signing-key.asc
that contains the public key. That's used automatically by uscan when getting
a new version.
> Is there any other reason I am not aware of why sigstore is a bad
> solution?
sigstore is 3rd party signing. You no longer keep the private key yourself.
You keep your password/token/whatever to sigstore and they sign your files.
And you hope they'll still be online and secure in the future when you will
decide to check a signature.
> Somebody needs to post the answers to questions like these to the
> discussion thread.
On that thread they say that it is possible to verify signatures offline. But
the checker seems to need a number of dependencies.
--
Salvo Tomaselli
"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di
senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
-- Galileo Galilei
https://ltworf.codeberg.page/Attachment:
signature.asc
Description: This is a digitally signed message part.