Oddbean new post about login | logout [$] Python PGP proposal poses packaging puzzles https://docs.sigstore.dev/ is a project that is meant to simplify and improve the process of signing, verifying, and protecting software. It is a relatively new project, https://www.prnewswire.com/news-releases/sigstore-announces-general-availability-at-sigstorecon-301657741.html "generally available" in 2022. Python is an early adopter of sigstore; it started <a href="https://www.python.org/downloads/metadata/sigstore/" rel="nofollow">providing signatures for CPython artifacts</a> with https://www.python.org/downloads/release/python-3110/ in 2022. This is in addition to the https://www.openpgp.org/ signatures it has been providing <a href="https://peps.python.org/pep-0101/" rel="nofollow">since at least 2001</a>. Now, Seth Michael Larson—the <a href="https://www.python.org/psf-landing/" rel="nofollow">Python Software Foundation</a> (PSF) <a href="https://pyfound.blogspot.com/2023/06/announcing-our-new-security-developer.html" rel="nofollow">security developer-in-residence</a>—would like to deprecate the PGP signature and move to sigstore exclusively by next year. If that happens, it will involve some changes in the way that Linux distributions verify Python releases, since none of the major distributions have processes for working with sigstore. https://lwn.net/Articles/993787/