Re: python devs are planning to stop signing with gpg
On 2024-10-03 14:22:09 -0400 (-0400), Louis-Philippe Véronneau wrote: [...] > In general, having viable alternatives to OpenPGP would open an > interesting door for the general Debian ecosystem... Agreed, OpenBSD projects have been signing release artifacts with their signify tool for a while, which is (slowly) growing in popularity too: https://packages.debian.org/signify -- Jeremy Stanley signature.asc Description: PGP signature
Re: python devs are planning to stop signing with gpg
Hi Salvo (2024.09.30_22:15:34_+) > > In what wee is this going to affect Debian? Do we actually verify GPG > > signatures for upstream sources? > > It seems we do not! Fixed. > > Is there any other reason I am not aware of why sigstore is a bad > > solution? > > sigstore is 3rd party signing. You no longer keep the private key yourself. > You keep your password/token/whatever to sigstore and they sign your files. From a quick read of the docs: I think ephemeral keys are used (or can be?) but the signature is recorded into their CT log, with your account. That's the bit signed by their key. > And you hope they'll still be online and secure in the future when you will > decide to check a signature. I see an offline mode is supported. We should figure out what it would take to support sigstore in Debian source packages, assuming there is more adoption. Stefano -- Stefano Rivera http://tumbleweed.org.za/ +1 415 683 3272
Upload request: meson-python
Hello, I'd like to request an upload of the src:meson-python package, in particular to close bug #1076806, a reproducibility bug related to documentation copyright notices -- the patch there has been committed[1] in Salsa, and also subsequently merged[2] into the upstream codebase. There haven't been any newer releases by upstream since the current version in Debian testing (0.16.0-1), and the only other pending change as far as I can tell is a Standards-Version increment. Also note, to reduce possible ambiguity: this package isn't the meson build system itself, but is a Python PEP517 plugin -- a plugin that allows Python packages to use meson during their own build/setup processes. Thanks! James [1] - https://salsa.debian.org/python-team/packages/meson-python/-/commit/b17dbeae9a9489c1a2e5dcdb4fab4d9c9e5aad1f [2] - https://github.com/mesonbuild/meson-python/pull/652
Re: python devs are planning to stop signing with gpg
On 2024-10-03 11:29, Stefano Rivera wrote: We should figure out what it would take to support sigstore in Debian source packages, assuming there is more adoption. Having that support in uscan and the rest of our tooling would be amazing. That would let us support things like SSH signatures, like I encountered in #1023140. In general, having viable alternatives to OpenPGP would open an interesting door for the general Debian ecosystem... -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau ⢿⡄⠘⠷⠚⠋ po...@debian.org / veronneau.org ⠈⠳⣄
