Salvo Tomaselli <ltw...@debian.org> writes: > I just saw this conversation > > https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatures-for-cpython-artifacts/65058 > > Perhaps someone more expert than me at not making flamewars would like to > intervene?
In what wee is this going to affect Debian? Do we actually verify GPG signatures for upstream sources? The replacement sigstore - verification is online only (at least as per comments in thread). Do we have a requirement to check signatures offline? Is there any other reason I am not aware of why sigstore is a bad solution? Somebody needs to post the answers to questions like these to the discussion thread. -- Brian May @ Debian
