Re: python devs are planning to stop signing with gpg

To: Salvo Tomaselli <ltworf@debian.org>
Cc: debian-python@lists.debian.org, Brian May <bam@debian.org>
Subject: Re: python devs are planning to stop signing with gpg
From: Stefano Rivera <stefanor@debian.org>
Date: Thu, 3 Oct 2024 15:29:12 +0000
Message-id: <[🔎] 20241003152912.7wwrsuxezwg3kaoj@satie.tumbleweed.org.za>
Mail-followup-to: Salvo Tomaselli <ltworf@debian.org>, debian-python@lists.debian.org, Brian May <bam@debian.org>
In-reply-to: <4017015.ElGaqSPkdT@galatea>
References: <14198883.O9o76ZdvQC@galatea> <87bk04sslp.fsf@debian.org> <4017015.ElGaqSPkdT@galatea>

Hi Salvo (2024.09.30_22:15:34_+0000)
> > In what wee is this going to affect Debian? Do we actually verify GPG
> > signatures for upstream sources?
> 
> It seems we do not!

Fixed.

> > Is there any other reason I am not aware of why sigstore is a bad
> > solution?
> 
> sigstore is 3rd party signing. You no longer keep the private key yourself. 
> You keep your password/token/whatever to sigstore and they sign your files.

From a quick read of the docs: I think ephemeral keys are used (or can
be?) but the signature is recorded into their CT log, with your account.
That's the bit signed by their key.

> And you hope they'll still be online and secure in the future when you will 
> decide to check a signature.

I see an offline mode is supported.

We should figure out what it would take to support sigstore in Debian
source packages, assuming there is more adoption.

Stefano

-- 
Stefano Rivera
  http://tumbleweed.org.za/
  +1 415 683 3272

Reply to:

Follow-Ups:
- Re: python devs are planning to stop signing with gpg
  - From: Louis-Philippe Véronneau <pollo@debian.org>

Prev by Date: Re: Merge Request for python-ciso8601
Next by Date: Upload request: meson-python
Previous by thread: Re: Merge Request for python-ciso8601
Next by thread: Re: python devs are planning to stop signing with gpg
Index(es):
- Date
- Thread