On 2024-10-03 14:22:09 -0400 (-0400), Louis-Philippe VĂ©ronneau wrote:
[...]
> In general, having viable alternatives to OpenPGP would open an
> interesting door for the general Debian ecosystem...
Agreed, OpenBSD projects have been signing release artifacts with
their signify tool for a while, whi
On 2024-10-03 11:29, Stefano Rivera wrote:
We should figure out what it would take to support sigstore in Debian
source packages, assuming there is more adoption.
Having that support in uscan and the rest of our tooling would be amazing.
That would let us support things like SSH signatures, li
Hi Salvo (2024.09.30_22:15:34_+)
> > In what wee is this going to affect Debian? Do we actually verify GPG
> > signatures for upstream sources?
>
> It seems we do not!
Fixed.
> > Is there any other reason I am not aware of why sigstore is a bad
> > solution?
>
> sigstore is 3rd party signin
Salvo Tomaselli writes:
> On that thread they say that it is possible to verify signatures offline. But
> the checker seems to need a number of dependencies.
"TL;DR: Starting with the next release, --offline will also mean that
sigstore-python performs no automatic trust root updates."
Maybe I
Salvo Tomaselli writes:
> I just saw this conversation
>
> https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatures-for-cpython-artifacts/65058
>
> Perhaps someone more expert than me at not making flamewars would like to
> intervene?
In what wee is this going to affect Deb
5 matches
Mail list logo
