Ditching OpenPGP, a new approach to signing APT repositories
Stefan Claas
spam.trap.mailing.lists at gmail.com
Tue Jun 22 14:56:25 PDT 2021
On Tue, Jun 22, 2021 at 11:20 PM Karl <gmkarl at gmail.com> wrote:
>
> Stefan,
>
>
> Thank you for sharing this. I'm afraid I'm not familiar with the debian dev process to look this up: do you know what avenues will be available for debian users to verify public keys? Will there be signatures on the keyrings?
Hi Karl,
good question, I must admit I have just seen this today and the software
seems to work the same as the one used by the OpenBSD[1] folks, which
also no longer use OpenPGP for signing packages.
[1] I have played with signify and minisign in the past and there are no options
to certify a pub key or keyring, which we know from how GnuPG works.
I guess they can sign the pub key file(s) between each other dev and then have
to publish those results in a safe place?!
Regards
Stefan
More information about the cypherpunks
mailing list