Jeremy Stanley <fungi@yuggoth.org> writes: > On 2025-08-10 14:35:20 +0000 (+0000), fosres@posteo.de wrote: >> Since Debian is a major Linux distribution I want to ask why >> software developers continue to digitally sign their code an >> software packages with GNUPG when there are simpler alternatives >> such as minisign (https://jedisct1.github.io/minisign/), signify, or >> age (https://github.com/FiloSottile/age). > [...] > > While I can't speak authoritatively on the matter, you hint at the > reason already when you use the word "continue." The other solutions > you cite are mere infants compared to the ages of Debian (1993) and > PGP (1991). Change takes time, and supplanting things that are already > working well enough requires that the benefit and interest needed to > overcome the inertia of the status quo must exceed any related effort > and disruption that implies. In short, the alternatives have to be > way, way, way superior for an existing system to get replaced. I believe the SSH signature format is old enough to be a relevant option here. SSH signatures didn't used to offer any advantage compared to PGP, but I think now that an GnuPG-incompatible OpenPGP specification has harmed the PGP ecosystem and made the PGP world less coherent, I think SSH signatures offers an interesting alternative. FWIW, Guix is working on adding support for it, so that both SSHSIG and PGP signatures may be used. /Simon
Attachment:
signature.asc
Description: PGP signature