Re: python devs are planning to stop signing with gpg

On 2024-10-03 14:22:09 -0400 (-0400), Louis-Philippe Véronneau wrote: [...] > In general, having viable alternatives to OpenPGP would open an > interesting door for the general Debian ecosystem... Agreed, OpenBSD projects have been signing release artifacts with their signify tool for a while, whi

Re: python devs are planning to stop signing with gpg

Hi Salvo (2024.09.30_22:15:34_+) > > In what wee is this going to affect Debian? Do we actually verify GPG > > signatures for upstream sources? > > It seems we do not! Fixed. > > Is there any other reason I am not aware of why sigstore is a bad > > solution? > > sigstore is 3rd party signin

Upload request: meson-python

Hello, I'd like to request an upload of the src:meson-python package, in particular to close bug #1076806, a reproducibility bug related to documentation copyright notices -- the patch there has been committed[1] in Salsa, and also subsequently merged[2] into the upstream codebase. There haven't

Re: python devs are planning to stop signing with gpg

On 2024-10-03 11:29, Stefano Rivera wrote: We should figure out what it would take to support sigstore in Debian source packages, assuming there is more adoption. Having that support in uscan and the rest of our tooling would be amazing. That would let us support things like SSH signatures, li