Hi, I'm not familiar with the Python release process, but looking at the latest release
https://www.python.org/downloads/release/python-3101/ we can see MD5 is still used ... which doesn't sound right in 2021 ... especially since we proved it's possible to build different .tar.gz that have the same MD5 https://twitter.com/ydroneaud/status/1448659749604446211 https://twitter.com/angealbertini/status/1449736035110461443 You would reply there's OpenPGP / GnuPG signature. But then I would like to raise another issue regarding the release process: As the announcement on comp.lang.python.announce /python-announce-l...@python.org doesn't record the release digest / release signature, the operator behind https://www.python.org/downloads/release/python-3101/ are free to change the release content at any time, provided there's a valid signature. And there will no way for us to check the release wasn't modified after the announcement. It would be great ifhttps://www.python.org/dev/peps/pep-0101/ would be improved from the naive: "Write the announcement for the mailing lists. This is the fuzzy bit because not much can be automated. You can use an earlier announcement as a template, but edit it for content!" to require the release announcement to record release archives digests as SHA-2 256 (added point if the announcement is signed), or the armored OpenPGP signatures (but's that a lot of base64 characters). Should I open a bug for this issue ? Regards. -- Yann Droneaud OPTEYA
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/6NI6V7DHTXCTUTNC2C5YSGOB6UJRFUDR/ Code of Conduct: http://python.org/psf/codeofconduct/
