Re: python devs are planning to stop signing with gpg

To: Salvo Tomaselli <ltworf@debian.org>, debian-python@lists.debian.org
Subject: Re: python devs are planning to stop signing with gpg
From: Brian May <bam@debian.org>
Date: Tue, 01 Oct 2024 09:36:42 +1000
Message-id: <[🔎] 877cassohh.fsf@debian.org>
In-reply-to: <[🔎] 4017015.ElGaqSPkdT@galatea>
References: <[🔎] 14198883.O9o76ZdvQC@galatea> <[🔎] 87bk04sslp.fsf@debian.org> <[🔎] 4017015.ElGaqSPkdT@galatea>

Salvo Tomaselli <ltworf@debian.org> writes:

> On that thread they say that it is possible to verify signatures offline. But 
> the checker seems to need a number of dependencies.

"TL;DR: Starting with the next release, --offline will also mean that
sigstore-python performs no automatic trust root updates."

Maybe I am wrong here, maybe this is similar to GPG, but regardless it
made me a bit nervous.
-- 
Brian May @ Debian

Reply to:

References:
- python devs are planning to stop signing with gpg
  - From: Salvo Tomaselli <ltworf@debian.org>
- Re: python devs are planning to stop signing with gpg
  - From: Brian May <bam@debian.org>
- Re: python devs are planning to stop signing with gpg
  - From: Salvo Tomaselli <ltworf@debian.org>

Prev by Date: Re: python devs are planning to stop signing with gpg
Previous by thread: Re: python devs are planning to stop signing with gpg
Index(es):
- Date
- Thread