Andrey Rakhmatullin <[email protected]> writes: > On Sat, Nov 01, 2025 at 02:29:06PM +0100, Simon Josefsson wrote: >>> BTW, reaching for "modern" means that you will never succeed. It will >>> always be what's coming next. >> >>A (reduced feature) variant of 'apt' in perl or python > > Without signing support, I assume?
Implementing the subset of a PGP verifier in perl or python that handle the Debian signatures is relative low complexity, especially compared to the complexity of all of apt today. Although I think we are seeing the end of PGP utility in this context, and I believe before soon it is reasonable to demand transparency chain signatures rather than traditional signatures that allows the "hidden release" attack by the private key holder. The python ecosystem already has migration towards Sigstore and there are Go and C code signed this way already, besides the large Docker container ecosystem. /Simon
signature.asc
Description: PGP signature
