fosstodon.org is one of the many independent Mastodon servers you can use to participate in the fediverse.
Fosstodon is an invite only Mastodon instance that is open to those who are interested in technology; particularly free & open source software. If you wish to join, contact us for an invite.

Administered by:

Server stats:

11K
active users

bignose

Thanks @sethmlarson for committing to make volunteer maintainers lives easier.

I'm sadly shocked, though, that PEP 761 lauds dependence on providers out of our control (Google, GitHub, etc.) as some improvement? Have we not learned that we need control of our identity, not platforms?

is a necessary part of divesting centralised power over our . Vesting yet more control in Microsoft is not the way.

This, from PEP 761, describes a regression, not an improvement:

“Sigstore’s security model depends more on centralized infrastructure compared to PGP, such as the “public good” signature transparency log (Rekor), certificate authority and transparency log (Fulcio), and the security of OpenID Connect identity providers like Google and GitHub.”

We need to *remove* control from those centralised, for-profit, . Not give them more.

@sethmlarson

I'm entirely sympathetic @sethmlarson with this passage:

“Requiring release managers to maintain and protect PGP private keys for seven or more years is an unnecessary burden in the new age of ergonomic and ephemeral signing keys.”

and I'm glad you're working to alleviate that.

That argues for improved *community-controlled* solutions. Not further entrenching centralisation.

Most alarmingly, @sethmlarson writes

“Maintaining the integrity of accounts on identity providers like GitHub is already an expectation of being a Python release manager or core team member, such as through multi-factor authentication and strong unique passwords.”

as though that's to be accepted? No! That is a *problem*, to be reduced, not exacerbated.

As it stands, PEP 761 addresses a real problem by handing control to Microsoft and Google: a known, bigger problem.

peps.python.org/pep-0761/

Python PEPs
Python Enhancement Proposals (PEPs)PEP 761 – Deprecating PGP signatures for CPython artifacts | peps.python.orgSince Python 3.11.0, CPython has provided two verifiable digital signatures for all CPython artifacts: PGP and Sigstore.

And no, I don't have an immediate controlled implementation to offer.

I do know, though, that whatever we move to needs to be out of the hands of the , so "just use your Google / GitHub / other identity" ain't it.

@sethmlarson

@bignose I think we are in agreement, I would love to have an ergonomic code-signing tool that didn't require active infrastructure investment from some other parties.

However like you mentioned, none such tool exists. I feel like we're leaning too heavily on PGP existing and thus having it pushed as "the solution" that there's been a lack of innovation in this area. Discontinuing PGP doesn't mean "Sigstore-only and forever", if better tools come around we will evaluate them.

My objection, then, @sethmlarson is that the PEP enshrines as a standard, the recommendation to use those specific (Google, Microsoft GitHub) without any hint at moving as quickly as possible *away* from those locked-in services.

@bignose Maybe my follow-up is that you and I and all internet users are already relying on a system not too different than Sigstore's, but in a lot of ways I am less trusting of: certificate authorities.

Transparency logs means that we can detect misuse and I trust the abilities security engineers of Google or Microsoft more than many country CAs.

@sethmlarson
> already relying on a system not too different than Sigstore's, but in a lot of ways I am less trusting of: certificate authorities.

Please note that is a "what-about" distraction; it is not an argument to vest more control in centralised proprietary user-hostile entities.

@sethmlarson

I truly respect the work that has clearly gone into the PEP. But the enshrinement and further promotion of a norm to centralised control of our identities, is a huge issue with it.

If "well other nearby things are bad, why not make this bad too" is your response? That saddens me and shows that the PEP is not a step forward for our community.