On Sun, Oct 13, 2024 at 08:58:11AM +0200, Matěj Cepl wrote:
On Fri Oct 11, 2024 at 12:52 PM CEST, Michal Suchánek wrote:
if I understand this correctly intead of decentralized GPG infrastructure sigstore is a centralized service.
I don’t think it is only about centralization/decentralization (or at all). Just duck it and you get plenty of pages like [1] with a long list of gripes against PGP/GPG on purely technical basis.
GPG/PGP is supserseded for most purposes. However, for signing distributed binaries I have yet to see a proposed alternative that is actually technically at least on par with GPG/PGP.
I have also learned about the other alternative for GPG from the OpenBSD universe, signify [2], which may be more relevant for the
Yes, signify might be a better alternative, specializing on one thing, not trying to do everything at once, poorly, and confusing the UI with too many features. At the same time it sounds like it may be too simplistic, and migrating a distribution like openSUSE completely to signify might be challenging. Thanks Michal