Hello,

I just saw this conversation

https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatures-for-cpython-artifacts/65058

Perhaps someone more expert than me at not making flamewars would like to intervene?

--
Salvo Tomaselli

"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
-- Galileo Galilei

https://ltworf.codeberg.page/
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEQnSLnnbYmXmeH74Us6fPDIAYhs8FAmb7HLYACgkQs6fPDIAY hs+vuBAAlMpzoiKdVnpbpdRxeLvj/57zAgw1zN1IH5jGD+t/0bhZaZUWzZQNskLt 2YL/OEYJCh13Q1mBRzCVM/SXw8k0PjnDDUZiqr6276pw/rEINGNEiJlyGiJqRb7y nYAOT/4T7fqpgMKZ9CYl9baDPMS0In8tkuzO2yxuz/bZMUIw/vfwJF/PxnW6h6rT ZMWIGDy33xNEubfrnL9o1HCOCRhGqceOk7otwX5Tj3FdPHK0qIR/vfzaSQMgQEMd QpdPiZp08UGHiW92MBhS6uLKUtVqHE2qr5xMWnyYxqs5wKjClBZIctSkajeBn01N VXUTlgYrSRVdgINvZ9UcPgjFo1kG5kzQvJDolqQIUzxl4X5/mszG+HuJeQF7XB7q ZJ6JKtZViS+3T79kSduuJFHNhi4E4mBDoQewwdiAXWCKYBlE4B8YHslSvsPuhE8k WT7U1TYpOG1v8HS9nw02CVxJBXqIoAentss2yy+1mgU1J5+bvNd8eBKj1bCmGbwa rjN/Jmt23sMEF87f8TGKW2Umlb9ar0rZxugSXljscZTiEGMPjJ/6kuWJfftxvffb N9UNXdUlC+4yGJvP85iA8EE0XcWHwW234IyyqOXqnXabrrvYxJ+i7vbJIFFZhVcs Y2UkS16bXK0Ae6TLr6qh0qE99lH/LxVzYnZpXP2XS93+e0qc2Ps=
=4bzh
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

To: [email protected] (Brian May)

In data marted� 1 ottobre 2024 00:07:46 CEST, Brian May ha scritto:

Salvo Tomaselli <[email protected]> writes:

I just saw this conversation

https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatu res-for-cpython-artifacts/65058

Perhaps someone more expert than me at not making flamewars would like to intervene?

In what wee is this going to affect Debian? Do we actually verify GPG signatures for upstream sources?

It seems we do not! There should be a file called debian/upstream/signing-key.asc
that contains the public key. That's used automatically by uscan when getting a new version.

Is there any other reason I am not aware of why sigstore is a bad
solution?

sigstore is 3rd party signing. You no longer keep the private key yourself. You keep your password/token/whatever to sigstore and they sign your files.

And you hope they'll still be online and secure in the future when you will decide to check a signature.

Somebody needs to post the answers to questions like these to the
discussion thread.

On that thread they say that it is possible to verify signatures offline. But the checker seems to need a number of dependencies.

--
Salvo Tomaselli

"Io non mi sento obbligato a credere che lo stesso Dio che ci ha dotato di senso, ragione ed intelletto intendesse che noi ne facessimo a meno."
-- Galileo Galilei

https://ltworf.codeberg.page/
-----BEGIN PGP SIGNATURE-----

iQIzBAABCAAdFiEEQnSLnnbYmXmeH74Us6fPDIAYhs8FAmb7IwYACgkQs6fPDIAY hs+E8BAAnhN6mTWK5l5mSz0uhGTfhA/S/kfLJ7JqNNtaoPT3a4ut1CbIPukLPzEI xRrNzBcyEC8+QfFLUlUXi1St2kh0nDyxrVyqjSi+dbSvGQUU8hWScpc0c4fGTDsN 0QuF8v7Za/NYE97nKFvP3PossHYSXm4X9fMN2fq5WKykXJO2sx68WSVHhtq3GqKO LCEKlTOj59r/3+k4+nnOYXLlUniaCAXdZyfpEZmlZUZQ31Kbm8MWdL0wnGzwtXXZ K7cw//nAfxj9TB2qB6+fxat4B9bPhj1s9iDWXOmLKqVzpc7xiAWK5PS+v+L6DkLJ JNHC+xJym0lQiGR1i/6nrgC4dmuii6p3J+f9GqqBIdoCT8yhMCudhXPtPxM/MfGl Dtrw0/uTIZvX1MBQ9O3RTWetYAJwNSeXdj4xSMeX/YJ+Iv7nP2+xGLSSCk/DSQa1 Bi/NacU8+wM3gqgAo75MIliJp3qYY3aEDV/MHbrIfhT06dZ4AA7jfwcMiYSQudNC e7bzJhdvvyq8BH6CXGae2D26k2s+Yj7+5lOIlBAWAxxGomyh3dct3WaDLeTlnhkf RfUUOj5FhMhR72fVUY1Hj8yb0/J43wsikJWPQM3H8jAeRcoVMTCNnyUd5XzjJpx/ zuwaF6beIPEiicw/IvkRZeOrR

Salvo Tomaselli <[email protected]> writes:

I just saw this conversation

https://discuss.python.org/t/pre-pep-discussion-stop-providing-gpg-signatures-for-cpython-artifacts/65058

Perhaps someone more expert than me at not making flamewars would like to intervene?

In what wee is this going to affect Debian? Do we actually verify GPG signatures for upstream sources?

The replacement sigstore - verification is online only (at least as per comments in thread). Do we have a requirement to check signatures
offline?

Is there any other reason I am not aware of why sigstore is a bad
solution?

Somebody needs to post the answers to questions like these to the
discussion thread.
--
Brian May @ Debian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Salvo Tomaselli <[email protected]> writes:

On that thread they say that it is possible to verify signatures offline. But the checker seems to need a number of dependencies.

"TL;DR: Starting with the next release, --offline will also mean that sigstore-python performs no automatic trust root updates."

Maybe I am wrong here, maybe this is similar to GPG, but regardless it
made me a bit nervous.
--
Brian May @ Debian

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Salvo (2024.09.30_22:15:34_+0000)

In what wee is this going to affect Debian? Do we actually verify GPG signatures for upstream sources?

It seems we do not!

Fixed.

Is there any other reason I am not aware of why sigstore is a bad
solution?

sigstore is 3rd party signing. You no longer keep the private key yourself. You keep your password/token/whatever to sigstore and they sign your files.

From a quick read of the docs: I think ephemeral keys are used (or can
be?) but the signature is recorded into their CT log, with your account.
That's the bit signed by their key.

And you hope they'll still be online and secure in the future when you will decide to check a signature.

I see an offline mode is supported.

We should figure out what it would take to support sigstore in Debian
source packages, assuming there is more adoption.

Stefano

--
Stefano Rivera
http://tumbleweed.org.za/
+1 415 683 3272

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-10-03 11:29, Stefano Rivera wrote:

We should figure out what it would take to support sigstore in Debian
source packages, assuming there is more adoption.

Having that support in uscan and the rest of our tooling would be amazing.

That would let us support things like SSH signatures, like I encountered
in #1023140.

In general, having viable alternatives to OpenPGP would open an
interesting door for the general Debian ecosystem...

--
⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Louis-Philippe Véronneau
⢿⡄⠘⠷⠚⠋ [email protected] / veronneau.org
⠈⠳⣄

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 2024-10-03 14:22:09 -0400 (-0400), Louis-Philippe Véronneau wrote:
[...]

In general, having viable alternatives to OpenPGP would open an
interesting door for the general Debian ecosystem...

Agreed, OpenBSD projects have been signing release artifacts with
their signify tool for a while, which is (slowly) growing in
popularity too: https://packages.debian.org/signify
--
Jeremy Stanley

-----BEGIN PGP SIGNATURE-----

iQKTBAABCgB9FiEEl65Jb8At7J/DU7LnSPmWEUNJWCkFAmb+9t9fFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDk3 QUU0OTZGQzAyREVDOUZDMzUzQjJFNzQ4Rjk5NjExNDM0OTU4MjkACgkQSPmWEUNJ WCmG3A//ZRGCnykAYe7UPqdtNKLqNgcoTnvaaSnu6eE2PEbo0Qt0Ccf3st0xDO/O I6NcIW6H7C3je9U/cgXntdkV0EyATDbk83QcmKd77Jz6OK6hLehtIv9Sdg0I33/h y/D2fb8MhWAUmsMbntIXcDHlovlMF6Owmwh4HjAV8ycfyrczUXmBpsb2WFQ4m2wy kWxsbSUPJ/ZK8INtXqGFXtLXimrfn6+HdkyVYM3G7hTd9xygSaA7hRQolpKnPiv4 Ae1ZvEtkHNFbyhInGwVw0DlhwrygX0Tpc19zdBF7kDehRVNLoGGXUyWfEVZtQw3X gWrerm22sBKhUI4lpLdMFhyWmmcux1ij5XdIzHCFc7vSInY5eWzkkXQvWT+jJsk0 KUbEzrWl26iGxmdcvjREXejWR8pL93pI3ZVChAUMU1ukGo1NEvl9YUyYB+u5Gypc j9h/if3nK1mzQobAH1YdsFheTboxgGbDM7luC8dNsYdXYXLTqsbGj2uIHfC+6Lv4 dcup1NbjUeGtNzeia5I8W6eujQFqe9KMEVkmxX7z3ACqJTHxcCAjlThrHTAwol7C uaYe4/w6IVbLa1f7pHOTuxFzphVjK7BdH6lq1ZItOfP/NIDuJiT6uiV8MDBG1oTm YEB6TcqSLniqCMYreEZsy+Myq0TW6K0WLzAeVr4pkm44F64Jlhs=
=wWIv
-----END PGP SIGNATURE-----

--- SoupGate-Win32