On 14/12/2021 11.56, Yann Droneaud wrote:
Hi,
I'm not familiar with the Python release process, but looking at the latest
release
https://www.python.org/downloads/release/python-3101/
we can see MD5 is still used ... which doesn't sound right in 2021 ...
especially since we proved it's possible to build different .tar.gz that have
the same MD5
https://twitter.com/ydroneaud/status/1448659749604446211
https://twitter.com/angealbertini/status/1449736035110461443
You would reply there's OpenPGP / GnuPG signature. But then I would like to
raise
another issue regarding the release process:
As the announcement on comp.lang.python.announce
/python-announce-l...@python.org
doesn't record the release digest / release signature, the operator behind
https://www.python.org/downloads/release/python-3101/ are free to change the
release
content at any time, provided there's a valid signature. And there will no way
for
us to check the release wasn't modified after the announcement.
It would be great ifhttps://www.python.org/dev/peps/pep-0101/ would be improved
from the naive:
"Write the announcement for the mailing lists. This is the fuzzy bit because
not
much can be automated. You can use an earlier announcement as a template,
but
edit it for content!"
to require the release announcement to record release archives digests as SHA-2
256
(added point if the announcement is signed), or the armored OpenPGP signatures
(but's
that a lot of base64 characters).
I would also argue that OpenPGP signatures are a bad solution in 2021.
PGP has not aged well and GnuPG tool has flaws. Better, more modern
options like sigstore are still under development, though.
We could (and maybe should) provide a SHA256 tag file (sha256sum --tag)
and sign it with OpenGPG. The signature of a sha256 checksum file is as
good as signing the files directly.
Christian
_______________________________________________
Python-Dev mailing list -- python-dev@python.org
To unsubscribe send an email to python-dev-le...@python.org
https://mail.python.org/mailman3/lists/python-dev.python.org/
Message archived at
https://mail.python.org/archives/list/python-dev@python.org/message/FEQAD752SIWTOBMLVOP2JJV3RFPRJBD4/
Code of Conduct: http://python.org/psf/codeofconduct/
