Hi Matěj, On 10.10.24 21:13 Matěj Cepl wrote:
Python developers started to discuss PEP-761 [1], which is about stop signing Python release tarballs with GPG and switching to sigstore. The discussion on discuss.python.org [2] grew to rather large one, including Fedora and openSUSE maintainers strong opposition to using Python-based sigstore and prefering compiled version [3] and requiring offline verification [4] (also supported by the Gentoo maintainer [4]). Hopefully there is also alternative Go client [5]. Similar discussion started on Debian Python list [6].
Interesting.
The thing which runs through my mind is whether we as whole openSUSE don’t want to switch to sigstore for security of our packages as well. What do you think?
I have not yet seen tarballs being signed with sigstore, only compiled binaries. So I am not sure how much use it would bring to support having sigstore functionality integrated like currently with GPG (where having a keyring in the package lets OBS check the integrity of the tarball). Or are you talking about signing the built RPMs with sigstore? Kind Regards, Johannes