On Fri Oct 11, 2024 at 12:52 PM CEST, Michal Suchánek wrote:
if I understand this correctly intead of decentralized GPG infrastructure sigstore is a centralized service.
I don’t think it is only about centralization/decentralization (or at all). Just duck it and you get plenty of pages like [1] with a long list of gripes against PGP/GPG on purely technical basis. I have also learned about the other alternative for GPG from the OpenBSD universe, signify [2], which may be more relevant for the operating system distribution. However, technical aspects of this religious war go a way over my head. Best, Matěj [1] https://www.latacora.com/blog/2019/07/16/the-pgp-problem/ [2] https://www.openbsd.org/papers/bsdcan-signify.html -- http://matej.ceplovi.cz/blog/, @mcepl@floss.social GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 No matter what happens in the kitchen, never apologize. -- Julia Child