[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: python devs are planning to stop signing with gpg



Salvo Tomaselli <ltworf@debian.org> writes:

> On that thread they say that it is possible to verify signatures offline. But 
> the checker seems to need a number of dependencies.

"TL;DR: Starting with the next release, --offline will also mean that
sigstore-python performs no automatic trust root updates."

Maybe I am wrong here, maybe this is similar to GPG, but regardless it
made me a bit nervous.
-- 
Brian May @ Debian


Reply to: