Re: python devs are planning to stop signing with gpg

To: Salvo Tomaselli <ltworf@debian.org>, debian-python@lists.debian.org
Subject: Re: python devs are planning to stop signing with gpg
From: Brian May <bam@debian.org>
Date: Tue, 01 Oct 2024 08:07:46 +1000
Message-id: <[🔎] 87bk04sslp.fsf@debian.org>
In-reply-to: <[🔎] 14198883.O9o76ZdvQC@galatea>
References: <[🔎] 14198883.O9o76ZdvQC@galatea>

Salvo Tomaselli <ltworf@debian.org> writes:

> I just saw this conversation
>
> https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatures-for-cpython-artifacts/65058
>
> Perhaps someone more expert than me at not making flamewars would like to 
> intervene?

In what wee is this going to affect Debian? Do we actually verify GPG
signatures for upstream sources?

The replacement sigstore - verification is online only (at least as per
comments in thread). Do we have a requirement to check signatures
offline?

Is there any other reason I am not aware of why sigstore is a bad
solution?

Somebody needs to post the answers to questions like these to the
discussion thread.
-- 
Brian May @ Debian

Reply to:

Follow-Ups:
- Re: python devs are planning to stop signing with gpg
  - From: Salvo Tomaselli <ltworf@debian.org>

References:
- python devs are planning to stop signing with gpg
  - From: Salvo Tomaselli <ltworf@debian.org>

Prev by Date: Re: python devs are planning to stop signing with gpg
Next by Date: Re: python devs are planning to stop signing with gpg
Previous by thread: python devs are planning to stop signing with gpg
Next by thread: Re: python devs are planning to stop signing with gpg
Index(es):
- Date
- Thread