Stefano Rivera writes:
> Should we expand this to include some of these new mechanisms?
> Things brought up in the debian-python thread include:
> 1. sigstore https://docs.sigstore.dev/
> 2. ssh signatures
> 3. signify https://man.openbsd.org/signify.1
+1
I believe all signatures we trust shoul
On 2024-10-05 03:32, Guillem Jover wrote:
> For an example of the activity that is going on in the OpenPGP ecosystem,
> here's a list of some of the non-GnuPG implementations already present
> in Debian, by programming language:
Thanks for the list! I was aware of some of them, but not all.
> *
Hi Guillem (2024.10.05_01:32:45_+)
> > 1. sigstore https://docs.sigstore.dev/
>
> Although I've heard of this before, I never really checked what is
> the actual design behind it, and its implications.
I'm new to all this too, but I can answer some of those questions from
my own reading:
> I
Hi!
On Fri, 2024-10-04 at 18:21:01 +, Stefano Rivera wrote:
> Picking up a thread that started on debian-python@lists.debian.org:
> https://lists.debian.org/msgid-search/14198883.O9o76ZdvQC@galatea
>
> Upstreams that care about supply chain security have been building
> mechanisms to authenti
* Stefano Rivera: " Alternative signature mechanisms for upstream source
verification" (Fri, 4 Oct 2024 18:21:01 +):
[...]
> Should we expand this to include some of these new mechanisms?
> Things brought up in the debian-python thread include:
> 1. sigstore https://doc
Picking up a thread that started on debian-python@lists.debian.org:
https://lists.debian.org/msgid-search/14198883.O9o76ZdvQC@galatea
Upstreams that care about supply chain security have been building
mechanisms to authenticate their releases, beyond PGP signatures.
For example, Python started pro
6 matches
Mail list logo
