[$] Python PGP proposal poses packaging puzzles

Date:
Mon, 21 Oct 2024 15:08:53 +0000

Description:
Sigstore is a
project that is meant to simplify and improve the process of signing, verifying, and protecting software. It is a relatively new project, declared "generally available" in 2022. Python is an early adopter of sigstore; it started providing
signatures for CPython artifacts with Python3.11 in2022. This is in addition to the OpenPGP signatures it has been
providing since at
least2001 . Now, SethMichaelLarsonthe Python Software
Foundation (PSF) security
developer-in-residence would like to deprecate the PGP
signature and move to sigstore exclusively by next year. If that
happens, it will involve some changes in the way that Linux
distributions verify Python releases, since none of the major
distributions have processes for working with sigstore.

======================================================================
Link to news story:
https://lwn.net/Articles/993787/


--- Mystic BBS v1.12 A47 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)