[$] Python PGP proposal poses packaging puzzles https://docs.sigstore.dev/ is a ...

LWN.net (RSS Feed) /

npub1y53…9tux

2024-10-21 15:08:53

[$] Python PGP proposal poses packaging puzzles

https://docs.sigstore.dev/
is a
project that is meant to simplify and improve the process of signing,
verifying, and protecting software. It is a relatively new project, https://www.prnewswire.com/news-releases/sigstore-announces-general-availability-at-sigstorecon-301657741.html

"generally available" in 2022. Python is an early adopter of sigstore; it started <a href="https://www.python.org/downloads/metadata/sigstore/"; rel="nofollow">providing
signatures for CPython artifacts</a> with https://www.python.org/downloads/release/python-3110/

in 2022. This is in addition to the https://www.openpgp.org/
signatures it has been
providing <a href="https://peps.python.org/pep-0101/"; rel="nofollow">since at
least 2001</a>. Now, Seth Michael Larson—the <a href="https://www.python.org/psf-landing/"; rel="nofollow">Python Software
Foundation</a> (PSF) <a href="https://pyfound.blogspot.com/2023/06/announcing-our-new-security-developer.html"; rel="nofollow">security
developer-in-residence</a>—would like to deprecate the PGP
signature and move to sigstore exclusively by next year. If that
happens, it will involve some changes in the way that Linux
distributions verify Python releases, since none of the major
distributions have processes for working with sigstore.

https://lwn.net/Articles/993787/

Author Public Key

npub1y535he37cx4z855x3ded2r5et624klsemav6rg2vlm3ex0j0llzszg9tux

Seen on

wss://relay.nostr.band wss://relay.primal.net

Show more details

Published at

2024-10-21 15:08:53

Kind type

1 Short Text Note

Event JSON

{ "id": "88a86a983b8f76e24c8a397f029f14b56b7384e8757ccdbf4c5ddc6c3266791c", "pubkey": "25234be63ec1aa23d2868b72d50e995e955b7e19df59a1a14cfee3933e4fffc5", "created_at": 1729523333, "kind": 1, "tags": [ [ "proxy", "https://lwn.net/headlines/newrss#https%3A%2F%2Flwn.net%2FArticles%2F993787%2F", "rss" ] ], "content": "[$] Python PGP proposal poses packaging puzzles\n\nhttps://docs.sigstore.dev/\n is a \nproject that is meant to simplify and improve the process of signing,\nverifying, and protecting software. It is a relatively new project, https://www.prnewswire.com/news-releases/sigstore-announces-general-availability-at-sigstorecon-301657741.html\n\n\"generally available\" in 2022. Python is an early adopter of sigstore; it started \u003ca href=\"https://www.python.org/downloads/metadata/sigstore/\" rel=\"nofollow\"\u003eproviding\nsignatures for CPython artifacts\u003c/a\u003e with https://www.python.org/downloads/release/python-3110/\n\nin 2022. This is in addition to the https://www.openpgp.org/\n signatures it has been\nproviding \u003ca href=\"https://peps.python.org/pep-0101/\" rel=\"nofollow\"\u003esince at\nleast 2001\u003c/a\u003e. Now, Seth Michael Larson—the \u003ca href=\"https://www.python.org/psf-landing/\" rel=\"nofollow\"\u003ePython Software\nFoundation\u003c/a\u003e (PSF) \u003ca href=\"https://pyfound.blogspot.com/2023/06/announcing-our-new-security-developer.html\" rel=\"nofollow\"\u003esecurity\ndeveloper-in-residence\u003c/a\u003e—would like to deprecate the PGP\nsignature and move to sigstore exclusively by next year. If that\nhappens, it will involve some changes in the way that Linux\ndistributions verify Python releases, since none of the major\ndistributions have processes for working with sigstore.\n\nhttps://lwn.net/Articles/993787/", "sig": "30554eb54482f3737d858c91c5db5d956859658db7f31beae08e67be9af741777854a2c9bb0f3113e2d8854129c1ecd33c4eab6014670697217e4d876b47f3ca" }