Stefano Rivera <stefa...@debian.org> writes:

> Should we expand this to include some of these new mechanisms?
> Things brought up in the debian-python thread include:
> 1. sigstore https://docs.sigstore.dev/
> 2. ssh signatures
> 3. signify https://man.openbsd.org/signify.1

+1

I believe all signatures we trust should be encoded in a non-mutable
transparency log like Sigstore/Sigsum etc.  But the first step towards
that is to add support for verifying that property.

> There is a general trend towards getting upstream sources from Git
> rather than tarballs in Debian, but we're a long way from moving across
> completely, or even finding consensus to do so.
> These signature mechanisms can generally be applied to git commits as
> well as tarballs.

Signatures of git commits is the same as a signature on a SHA1 object
which is broken for authentication purposes.  But it is possible to
discuss these issues separately, paving the way for git commit signing
to be trustworthy when GitHub/GitLab moves to SHA256.

/Simon

Attachment: signature.asc
Description: PGP signature

Reply via email to