On 04.04.2015 02:49, Donald Stufft wrote: > >> On Apr 3, 2015, at 6:38 PM, M.-A. Lemburg <m...@egenix.com> wrote: >> >> On 04.04.2015 00:14, Steve Dower wrote: >>> The thing is, that's exactly the same goodness as Authenticode gives, >>> except everyone gets that for free and meanwhile you're the only one who >>> has admitted to using GPG on Windows :) >>> >>> Basically, what I want to hear is that GPG sigs provide significantly >>> better protection than hashes (and I can provide better than MD5 for all >>> files if it's useful), taking into consideration that (I assume) I'd have >>> to obtain a signing key for GPG and unless there's a CA involved like there >>> is for Authenticode, there's no existing trust in that key. >> >> Hashes only provide checks against file corruption (and then >> only if you can trust the hash values). GPG provides all the >> benefits of public key encryption on arbitrary files (not just >> code). >> >> The main benefit in case of downloadable installers is to >> be able to make sure that the files are authentic, meaning that >> they were created and signed by the people listed as packagers. >> >> There is no CA infrastructure involved as for SSL certificates >> or Authenticode, but it's easy to get the keys from key servers >> given the key signatures available from python.org's download >> pages. > > FTR if we’re relying on people to get the GPG keys from the download > pages then there’s no additional benefit over just using a hash > published on the same page.
Well, it's still better than just the hashes... > In order to get additional benefit we’d need to get Steve’s key > signed by enough people to get him into the strong set. ...but having the key signed by fellow core devs will certainly add more goodness :-) >> If you want to sign a package file using GPG, you will need >> to create your own key, upload it to the key servers and then >> place the signature up on the download page. >> >> Relying only on Authenticode for Windows installers would >> result in a break in technology w/r to the downloads we >> make available for Python, since all other files are (usually) >> GPG signed: >> >> https://www.python.org/ftp/python/3.4.3/ >> >> Cheers, >> -- >> Marc-Andre Lemburg >> eGenix.com >> >> Professional Python Services directly from the Source >>>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ >> ________________________________________________________________________ >> >> ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: >> >> >> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >> Registered at Amtsgericht Duesseldorf: HRB 46611 >> http://www.egenix.com/company/contact/ >> >> >>> Cheers, >>> Steve >>> >>> Top-posted from my Windows Phone >>> ________________________________ >>> From: M.-A. Lemburg<mailto:m...@egenix.com> >>> Sent: 4/3/2015 10:55 >>> To: Steve Dower<mailto:steve.do...@microsoft.com>; Larry >>> Hastings<mailto:la...@hastings.org>; Python >>> Dev<mailto:python-dev@python.org>; >>> python-committers<mailto:python-committ...@python.org> >>> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows >>> files with GnuPG? >>> >>> On 03.04.2015 19:35, Steve Dower wrote: >>>>> My Windows development days are firmly behind me. So I don't really have >>>>> an >>>>> opinion here. So I put it to you, Windows Python developers: do you care >>>>> about >>>>> GnuPG signatures on Windows-specific files? Or do you not care? >>>> >>>> The later replies seem to suggest that they are general goodness that >>>> nobody on Windows will use. If someone convinces me (or steamrolls me, >>>> that's fine too) that the goodness of GPG is better than a hash then I'll >>>> look into adding it into the process. Otherwise I'll happily add hash >>>> generation into the upload process (which I'm going to do anyway for the >>>> ones displayed on the download page). >>> >>> FWIW: I regularly check the GPG sigs on all important downloaded >>> files, regardless of which platform they target, including the >>> Windows installers for Python or any other Windows installers >>> I use which provide such sigs. >>> >>> The reason is simple: >>> The signature is a proof of authenticity which is not bound to >>> a particular file format or platform and before running .exes >>> it's good to know that they were built by the right people and >>> not manipulated by trojans, viruses or malicious proxies. >>> >>> Is that a good enough reason to continue providing the GPG >>> sigs or do you need more proof of goodness ? ;-) >>> >>> -- >>> Marc-Andre Lemburg >>> eGenix.com >>> >>> Professional Python Services directly from the Source >>>>>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>>>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>>>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ >>> ________________________________________________________________________ >>> >>> ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: >>> >>> >>> eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 >>> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg >>> Registered at Amtsgericht Duesseldorf: HRB 46611 >>> http://www.egenix.com/company/contact/ >>> >> >> _______________________________________________ >> python-committers mailing list >> python-committ...@python.org >> https://mail.python.org/mailman/listinfo/python-committers > > --- > Donald Stufft > PGP: 7C6B 7C5D 5E2B 6356 A926 F04F 6E3C BCE9 3372 DCFA > > > > _______________________________________________ > Python-Dev mailing list > Python-Dev@python.org > https://mail.python.org/mailman/listinfo/python-dev > Unsubscribe: > https://mail.python.org/mailman/options/python-dev/mal%40egenix.com > -- Marc-Andre Lemburg eGenix.com Professional Python Services directly from the Source >>> Python/Zope Consulting and Support ... http://www.egenix.com/ >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ >>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/ ________________________________________________________________________ ::: Try our new mxODBC.Connect Python Database Interface for free ! :::: eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/ _______________________________________________ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
