Thanks @sethmlarson for committing to make #FreeSoftware #Python volunteer maintainers lives easier.
I'm sadly shocked, though, that PEP 761 lauds dependence on #platform providers out of our control (Google, GitHub, etc.) as some improvement? Have we not learned that we need #community control of our identity, not #corporation platforms?
#ProtocolsNotPlatforms is a necessary part of divesting centralised power over our #SoftwareFreedom. Vesting yet more control in Microsoft is not the way.
This, from PEP 761, describes a regression, not an improvement:
“Sigstore’s security model depends more on centralized infrastructure compared to PGP, such as the “public good” signature transparency log (Rekor), certificate authority and transparency log (Fulcio), and the security of OpenID Connect identity providers like Google and GitHub.”
We need to *remove* control from those centralised, for-profit, #GrowthAtAllCosts #platforms. Not give them more.
I'm entirely sympathetic @sethmlarson with this passage:
“Requiring release managers to maintain and protect PGP private keys for seven or more years is an unnecessary burden in the new age of ergonomic and ephemeral signing keys.”
and I'm glad you're working to alleviate that.
That argues for improved *community-controlled* solutions. Not further entrenching #platform centralisation.
Most alarmingly, @sethmlarson writes
“Maintaining the integrity of accounts on identity providers like GitHub is already an expectation of being a Python release manager or core team member, such as through multi-factor authentication and strong unique passwords.”
as though that's to be accepted? No! That is a *problem*, to be reduced, not exacerbated.
As it stands, PEP 761 addresses a real problem by handing control to Microsoft and Google: a known, bigger problem.
And no, I don't have an immediate #community controlled implementation to offer.
I do know, though, that whatever we move to needs to be out of the hands of the #SurveillanceCapitalism #Platforms, so "just use your Google / GitHub / other #proprietary #platform identity" ain't it.
@bignose I think we are in agreement, I would love to have an ergonomic code-signing tool that didn't require active infrastructure investment from some other parties.
However like you mentioned, none such tool exists. I feel like we're leaning too heavily on PGP existing and thus having it pushed as "the solution" that there's been a lack of innovation in this area. Discontinuing PGP doesn't mean "Sigstore-only and forever", if better tools come around we will evaluate them.
My objection, then, @sethmlarson is that the PEP enshrines as a standard, the recommendation to use those specific #platforms (Google, Microsoft GitHub) without any hint at moving as quickly as possible *away* from those locked-in services.
@bignose Maybe my follow-up is that you and I and all internet users are already relying on a system not too different than Sigstore's, but in a lot of ways I am less trusting of: certificate authorities.
Transparency logs means that we can detect misuse and I trust the abilities security engineers of Google or Microsoft more than many country CAs.
@sethmlarson
> already relying on a system not too different than Sigstore's, but in a lot of ways I am less trusting of: certificate authorities.
Please note that is a "what-about" distraction; it is not an argument to vest more control in centralised proprietary user-hostile entities.
I truly respect the work that has clearly gone into the PEP. But the enshrinement and further promotion of a norm to centralised control of our identities, is a huge issue with it.
If "well other nearby things are bad, why not make this bad too" is your response? That saddens me and shows that the PEP is not a step forward for our community.