On Tue, Dec 14, 2021 at 9:06 AM Yann Droneaud <ydrone...@opteya.com> wrote:
> Hi, > > I'm not familiar with the Python release process, but looking at the latest > release > https://www.python.org/downloads/release/python-3101/ > > we can see MD5 is still used ... which doesn't sound right in 2021 ... > especially since we proved it's possible to build different .tar.gz that have > the same MD5 > > https://twitter.com/ydroneaud/status/1448659749604446211https://twitter.com/angealbertini/status/1449736035110461443 > > You would reply there's OpenPGP / GnuPG signature. But then I would like to > raise > another issue regarding the release process: > > As the announcement on comp.lang.python.announce / > python-announce-l...@python.org > doesn't record the release digest / release signature, the operator > behindhttps://www.python.org/downloads/release/python-3101/ are free to > change the release > content at any time, provided there's a valid signature. And there will no > way for > us to check the release wasn't modified after the announcement. > > For source archives, one can diff the contents of the source download vs those of the equivalent tag in the git repository. For binaries, well, there's already a ton of trust involved in accepting a binary from anyone. But agreed having the currently secure hashes in the announcement email would be good. > It would be great if https://www.python.org/dev/peps/pep-0101/ would be > improved > from the naive: > > "Write the announcement for the mailing lists. This is the fuzzy bit > because not > much can be automated. You can use an earlier announcement as a template, > but > edit it for content!" > > to require the release announcement to record release archives digests as > SHA-2 256 > (added point if the announcement is signed), or the armored OpenPGP > signatures (but's > that a lot of base64 characters). > > Should I open a bug for this issue ? > > Makes sense, it is a pretty small change to make to the announcement format. Filed. https://bugs.python.org/issue46077 -gps Regards. > > -- > Yann Droneaud > OPTEYA > > > _______________________________________________ > Python-Dev mailing list -- python-dev@python.org > To unsubscribe send an email to python-dev-le...@python.org > https://mail.python.org/mailman3/lists/python-dev.python.org/ > Message archived at > https://mail.python.org/archives/list/python-dev@python.org/message/6NI6V7DHTXCTUTNC2C5YSGOB6UJRFUDR/ > Code of Conduct: http://python.org/psf/codeofconduct/ >
_______________________________________________ Python-Dev mailing list -- python-dev@python.org To unsubscribe send an email to python-dev-le...@python.org https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/python-dev@python.org/message/OXS2TK43QKH2M54R5HHECOZ6HYCQGJON/ Code of Conduct: http://python.org/psf/codeofconduct/
