|
|
|
|
|
|
by hifromwork
603 days ago
|
|
|
>In the PEP, Larson argues that providing PGP and sigstore signatures fails to give downstream projects any incentive to adopt sigstore. So long as CPython continues to provide PGP signatures, there is little motivation to adopt sigstore. No better way to convince people to use a standard than forcing them. Taking away choice by force sounds a bit contradictory to the idea of Open Source. I mean, maybe sigstore is a better idea, but why not let people make their choice. |
|
|
I tried to cover this in PEP 761, this comes down to a few things:
Python release managers don't want to use PGP due to the ergonomic burden. They are volunteers too, after all. This is the key point, and we are making that sentiment clear early (and with an extendable timeline also defining who gets to choose: Steering Council) so that everyone else can plan and take action.
There have been past efforts to stop using PGP that failed likely due to a lack of alternative. Now there is an alternative, but having an alternative is not enough. Verifiers need to start using the new method. It's been 2 years and no Linux distributions support verifying with Sigstore.
From my perspective there has been little to no work to look into Sigstore and whether it's usable by Linux distros. There's a gap in understanding about how Sigstore works in some places. I would not have this perspective without starting this conversation, I've been sharing all the feedback with Sigstore folks along the way.
I hope this provides more context into the "why". This is why "do both forever" is not a solution for us.