Stefano Rivera <stefa...@debian.org> writes: > Should we expand this to include some of these new mechanisms? > Things brought up in the debian-python thread include: > 1. sigstore https://docs.sigstore.dev/ > 2. ssh signatures > 3. signify https://man.openbsd.org/signify.1
+1 I believe all signatures we trust should be encoded in a non-mutable transparency log like Sigstore/Sigsum etc. But the first step towards that is to add support for verifying that property. > There is a general trend towards getting upstream sources from Git > rather than tarballs in Debian, but we're a long way from moving across > completely, or even finding consensus to do so. > These signature mechanisms can generally be applied to git commits as > well as tarballs. Signatures of git commits is the same as a signature on a SHA1 object which is broken for authentication purposes. But it is possible to discuss these issues separately, paving the way for git commit signing to be trustworthy when GitHub/GitLab moves to SHA256. /Simon
signature.asc
Description: PGP signature