On 2023-11-17 01:55:45 +0100 (+0100), Salvo Tomaselli wrote:
> You have a system that is an insane overkill. I'm one guy with one
> computer and no funding to do any of this.
I admitted as much. My point was that building, signing, and
uploading the tarball to PyPI are distinct steps which can be
On Wed, Nov 15, 2023 at 11:21:06PM +0100, Norwid Behrnd wrote:
> I would like to add an observation tangential to your points A), explanation
> to new contributors, and B) potentially advise against the use of Proton Mail
> for Debian work to yield a «no, Proton Mail can be useful for some Debian
At 2023-11-15T14:58:15+, Jeremy Stanley wrote:
> I replied to you there too, but you still never seemed to be able to
> explain... why do you need to put an OpenPGP key on the service
> you're using to upload Python packages (not Debian packages) to
> PyPI, given that PyPI doesn't support
Jeremy Stanley writes:
> Or build and sign the .tar.gz, then provide the .tar.gz file to the
> upload automation on GitHub for publishing to PyPI.
Oh, yes, that would work. You'd want to unpack that tarball and re-run
the tests and whatnot, but all very doable.
--
Russ Allbery
On 2023-11-15 16:03:54 -0800 (-0800), Russ Allbery wrote:
[...]
> Well, you *can*, but you would have to then download the .tar.gz from
> PyPI, perform whatever checks you need to in order to ensure it is a
> faithful copy of the source release, and then sign it and put that .asc
> file somewhere
Salvo Tomaselli writes:
> I am currently not using any service to upload to pypi. But this
> requires the occasional creation and deletion of global tokens.
> The only way to avoid global tokens is to upload from github, in which
> case I can no longer sign the .tar.gz.
Well, you *can*, but
On 2023-11-16 00:20:40 +0100 (+0100), Salvo Tomaselli wrote:
> In data mercoledì 15 novembre 2023 15:58:15 CET, Jeremy Stanley ha scritto:
> > why do you need to put an OpenPGP key on the service
> > you're using to upload Python packages (not Debian packages) to
> > PyPI, given that PyPI doesn't
I wrote:
>nil...@mailbox.org wrote:
>>
>>>2. The Proton Mail web client automatically encrypts email to anyone who
>>>it has a key for. Usually, this would be a great thing, but it means
>>>that emailing 1234 at bugs.debian.org while CCing
>>>uploader_since_this_is_an_rc_...@debian.org will
Hello,
I would like to add an observation tangential to your points A), explanation
to new contributors, and B) potentially advise against the use of Proton Mail
for Debian work to yield a «no, Proton Mail can be useful for some Debian
work».
In December 2022/January 2023, I found a sponsor for
Hi,
My few smallcoins, responding to each of the proposed outcomes (even
if they were intended to be mutually-exclusive...) are:
A) Educating contributors that retaining control of their signing keys
is important seems valuable -- it seems OK to provide a few
illustrative examples of situations
On 2023-11-15 11:01:35 +0100 (+0100), Salvo Tomaselli wrote:
[...]
> I was recently discussing with pypi and core python developers,
> and it seems that their take is very different than ours.
>
> It seems that pypi completely removed support for signed updates,
> and instead now verification
Hello,
I completely agree with you and many others on that regard. A private
key is private, and shall not be stored in a server where multiple users
might access to and open to internet, which can be compromised.
Doing this makes the attack surface substantially larger, and given the
nil...@mailbox.org wrote:
>
>>2. The Proton Mail web client automatically encrypts email to anyone who
>>it has a key for. Usually, this would be a great thing, but it means
>>that emailing 1234 at bugs.debian.org while CCing
>>uploader_since_this_is_an_rc_...@debian.org will encrypt the email
Hi,
I'm new to this mailing list, having joined hoping to contribute to Debian, so
I hope you won't mind me offering my opinion here, with this being a subject
I'm quite keen on.
> On 15 Nov 2023, at 12:01, Salvo Tomaselli wrote:
>
> In data mercoledì 15 novembre 2023 03:21:34 CET, Simon
While I do think that PM generating a PGP key by default is a good
thing. Even if they are compromised, it is still better than no
encryption for the vast majority of user *as long as they are not used
for something else*.
The problem for us is that it is not possible to upload subkeys to PM,
Nilesh Patra wrote on 15/11/2023 at 03:49:12+0100:
> On 15 November 2023 5:10:50 am IST, Nicholas D Steeves
> wrote:
>>On the surface, this means Proton Mail (free account) is great! And for
>>general use, I feel like we should be supportive of them; however, I'm
>>starting to wonder if we
On 15 November 2023 5:10:50 am IST, Nicholas D Steeves wrote:
>On the surface, this means Proton Mail (free account) is great! And for
>general use, I feel like we should be supportive of them; however, I'm
>starting to wonder if we need to recommend against the use of Proton
>mail for Debian
On Tue, 2023-11-14 at 18:40 -0500, Nicholas D Steeves wrote:
>
> I see three outcomes:
>
> A) Continue to explain this to new contributors on a one-by-one
> basis.
> B) Advise against using Proton Mail for Debian work (where? our
> wiki?)
> C) Proton Mail begins to do something differently on
Hi,
On 11/15/23 08:40, Nicholas D Steeves wrote:
1. I've received a report that this provider is not appropriate for DM
and DD use, because the key pair is stored on their servers. Ie: The
applicant doesn't control the means to validating identity and
authorship.
Correct. I'd even go as far
Hello,
Please retain me in CC for all replies.
Everyone reading this most likely believes that PGP/GPG is a good thing;
Many will advocate for its use-by-default for even unimportant
correspondences, because privacy is a right. Meanwhile, everyday usage
of encryption normalises it, which is
20 matches
Mail list logo
