[$] Python PGP proposal poses packaging puzzles
https://docs.sigstore.dev/
is a
project that is meant to simplify and improve the process of signing,
verifying, and protecting software. It is a relatively new project, https://www.prnewswire.com/news-releases/sigstore-announces-general-availability-at-sigstorecon-301657741.html
"generally available" in 2022. Python is an early adopter of sigstore; it started <a href="https://www.python.org/downloads/metadata/sigstore/" rel="nofollow">providing
signatures for CPython artifacts</a> with https://www.python.org/downloads/release/python-3110/
in 2022. This is in addition to the https://www.openpgp.org/
signatures it has been
providing <a href="https://peps.python.org/pep-0101/" rel="nofollow">since at
least 2001</a>. Now, Seth Michael Larson—the <a href="https://www.python.org/psf-landing/" rel="nofollow">Python Software
Foundation</a> (PSF) <a href="https://pyfound.blogspot.com/2023/06/announcing-our-new-security-developer.html" rel="nofollow">security
developer-in-residence</a>—would like to deprecate the PGP
signature and move to sigstore exclusively by next year. If that
happens, it will involve some changes in the way that Linux
distributions verify Python releases, since none of the major
distributions have processes for working with sigstore.
https://lwn.net/Articles/993787/