← Back to context

Comment by woodruffw

1 year ago

You can still publish a package without signing it; none of this is mandatory (or even implemented yet).

IMO, one of the things that Sigstore will need to do to become a "serious" codesigning solution for OSS ecosystems is support one or more vendor-neutral IdPs: Sigstore itself is a Linux Foundation project and thus might be able to serve as the right venue for that, or it could be a CA/B-style affair where individual neutral IdPs can qualify for inclusion.

4 comments

woodruffw

Reply
dlor  1 year ago

I'd love to make this happen, but there aren't really any IDPs that meet this criteria yet.

Happy to help get one going though!

  • KRAKRISMOTT  1 year ago

    You will run into this problem when developers from "fun" places like Russia and Iran try to sign packages since they are sanctioned by GitHub and other services. I am not sure about Python but quite a few high profile JavaScript libraries are by Russian engineers.

    • arp242  1 year ago

      > they are sanctioned by GitHub and other services

      They're sanctioned by various governments around the world, not GitHub.

      I think this is an important difference, because GitHub doesn't really have much choice in this.

  • LtWorf  1 year ago

    Ah yes. Let's give all of our personal information to USA… They are so trustworthy!