Re: Why Does Debian Use PGP to Sign Packages

To: fosres@posteo.de
Cc: Debian security <debian-security@lists.debian.org>
Subject: Re: Why Does Debian Use PGP to Sign Packages
From: Simon Josefsson <simon@josefsson.org>
Date: Sat, 16 Aug 2025 11:21:24 +0200
Message-id: <[🔎] 871ppb4o6j.fsf@josefsson.org>
In-reply-to: <[🔎] a66cd45403052dc7a4e55f60885e4737@posteo.de> (fosres@posteo.de's message of "Sat, 16 Aug 2025 01:22:41 +0000")
References: <[🔎] a66cd45403052dc7a4e55f60885e4737@posteo.de>

fosres@posteo.de writes:

> Hello All,
>
> In an earlier post I asked why Debian uses PGP to sign packages
> despite its complexity.
>
> Some responded that Sequoia PGP simplifies the process.
>
> I now wish to ask why Debian uses PGP in general to sign packages when
> there are alternatives such as SigStore.
>
> What were the unique benefits in PGP that could not be found in other
> alternatives?

It existed.  Sigstore or other alternatives didn't, at the time.
Sigstore and other transparency logs like Sigsum offers better security
claims than PGP ever has, protecting against hidden releases.  I wish
there were pure C and Python verifiers available for Sigstore and Sigsum
to further ease of use of these technologies.

/Simon

Attachment: signature.asc
Description: PGP signature

Reply to:

References:
- Why Does Debian Use PGP to Sign Packages
  - From: fosres@posteo.de

Prev by Date: Re: Why Does Debian Use PGP to Sign Packages
Next by Date: Re: Why Does Debian Use PGP to Sign Packages
Previous by thread: Re: Why Does Debian Use PGP to Sign Packages
Next by thread: Re: Why Does Debian Use PGP to Sign Packages
Index(es):
- Date
- Thread