Is there a reason why GPG signatures weren’t being used by Debian in the past, despite being available?
Agreed that it’s tough to justify for a single upstream, however I know that in the near future there will be multiple thousands of projects with Sigstore verification materials on PyPI thanks to the work of @woodruffw on PEP 740. I know that Debian/Ubuntu package projects from PyPI and for many of these projects there aren’t any GPG signatures available, would this volume of projects and viable verification materials justify adopting Sigstore in uscan?