On 17.04.2015 19:31, "Martin v. Löwis" wrote:
> Am 17.04.15 um 00:46 schrieb M.-A. Lemburg:
>>> I had asked the PSF for a StartSSL certificate when the previous
>>> certificate expired, and the PSF was not able to provide one. After
>>> waiting several weeks for the PSF to provide the certificate,
Am 17.04.15 um 00:46 schrieb M.-A. Lemburg:
>> I had asked the PSF for a StartSSL certificate when the previous
>> certificate expired, and the PSF was not able to provide one. After
>> waiting several weeks for the PSF to provide the certificate, Kurt then
>> kindly went to Verisign.
>
> When was
On 16.04.2015 21:34, "Martin v. Löwis" wrote:
> Am 04.04.15 um 21:54 schrieb M.-A. Lemburg:
FWIW: The PSF mostly uses StartSSL nowadays and they also support code
signing certificates. Given that this option is a lot cheaper than
Verisign, I think we should switch, unless there are s
Am 05.04.15 um 06:43 schrieb Steve Dower:
> Now I just have to find the time to learn how to use it...
I always sign with Kleopatra on Windows. It's really simple: just drag
all files you want to sign onto it, configure "detached" signatures, and
it will place the signature next to the original fi
Am 04.04.15 um 21:54 schrieb M.-A. Lemburg:
>>> FWIW: The PSF mostly uses StartSSL nowadays and they also support code
>>> signing certificates. Given that this option is a lot cheaper than
>>> Verisign, I think we should switch, unless there are significant
>>> reasons not to. We should revisit th
Steve Dower writes:
> Nathaniel Smith wrote:
> > And I suspect python-dev generally doesn't put much weight on the
> > extra effort required (release managers have all been using gpg for
> > decades, it's pretty trivial)
>
> I'm aware of this, but still don't see it as a reason to unnecessarily
On 04/05/2015 06:41 AM, Antoine Pitrou wrote:
On Sun, 05 Apr 2015 01:06:01 -0700
Larry Hastings wrote:
On 04/04/2015 08:21 PM, Nathaniel Smith wrote:
(I guess you could call Larry or someone, read them a hash over the
phone, and then have them create the actual gpg signatures.)
By sheer coinc
ilto:robe...@robertcollins.net>
Sent: 4/4/2015 21:59
To: Steve Dower<mailto:steve.do...@microsoft.com>
Cc: M.-A. Lemburg<mailto:m...@egenix.com>; Larry
Hastings<mailto:la...@hastings.org>; Python Dev<mailto:python-dev@python.org>;
python-committers<mailto:python-committ
On Sun, 05 Apr 2015 01:06:01 -0700
Larry Hastings wrote:
>
> On 04/04/2015 08:21 PM, Nathaniel Smith wrote:
> > (I guess you could call Larry or someone, read them a hash over the
> > phone, and then have them create the actual gpg signatures.)
>
> By sheer coincidence, I believe Steve and I bot
Nathaniel Smith wrote:
> And I suspect python-dev generally doesn't put much weight on the
> extra effort required (release managers have all been using gpg for
> decades, it's pretty trivial)
I'm aware of this, but still don't see it as a reason to unnecessarily
duplicate process.
> or see any
On 04/04/2015 08:21 PM, Nathaniel Smith wrote:
(I guess you could call Larry or someone, read them a hash over the
phone, and then have them create the actual gpg signatures.)
By sheer coincidence, I believe Steve and I both live in the Seattle
area...!
//arry/
On 4 April 2015 at 11:14, Steve Dower wrote:
> The thing is, that's exactly the same goodness as Authenticode gives, except
> everyone gets that for free and meanwhile you're the only one who has
> admitted to using GPG on Windows :)
>
> Basically, what I want to hear is that GPG sigs provide sign
On Sat, Apr 4, 2015 at 6:07 PM, Steve Dower wrote:
> There's no problem, per se, but initially it was less trouble to use the
> trusted PSF certificate and native support than to add an extra step using a
> program I don't already use and trust, am restricted in use by my employer
> (because of th
..
Top-posted from my Windows Phone
From: Barry Warsaw<mailto:ba...@python.org>
Sent: 4/4/2015 9:11
To: python-dev@python.org<mailto:python-dev@python.org>
Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files
with GnuPG?
On Ap
On Sat, Apr 4, 2015, at 03:54 PM, M.-A. Lemburg wrote:
> On 04.04.2015 21:49, Kurt B. Kaiser wrote:
> >
> >
> > On Sat, Apr 4, 2015, at 03:35 PM, M.-A. Lemburg wrote:
> >> On 04.04.2015 21:02, Kurt B. Kaiser wrote:
> >>> For the record, that is a Symantec/Verisign code signing
> >>> certificate
On 04.04.2015 21:49, Kurt B. Kaiser wrote:
>
>
> On Sat, Apr 4, 2015, at 03:35 PM, M.-A. Lemburg wrote:
>> On 04.04.2015 21:02, Kurt B. Kaiser wrote:
>>> For the record, that is a Symantec/Verisign code signing
>>> certificate. We paid $1123 for it last April. It expires
>>> April 2017.
>>>
>>>
On Sat, Apr 4, 2015, at 03:35 PM, M.-A. Lemburg wrote:
> On 04.04.2015 21:02, Kurt B. Kaiser wrote:
> > For the record, that is a Symantec/Verisign code signing
> > certificate. We paid $1123 for it last April. It expires
> > April 2017.
> >
> > If you don't switch to a different vendor, e.g. st
;
>> Cheers,
>> Steve
>>
>> Top-posted from my Windows Phone
>> ________
>> From: Wes Turner<mailto:wes.tur...@gmail.com>
>> Sent: 4/4/2015 6:42
>> To: M. -A. Lemburg<mailto:m...@egenix.com>
>> Cc: Python-D
15 6:42
> To: M. -A. Lemburg<mailto:m...@egenix.com>
> Cc: Python-Dev<mailto:python-dev@python.org>;
> python-committers<mailto:python-committ...@python.org>; Larry
> Hastings<mailto:la...@hastings.org>; Steve
> Dower<mailto:steve.do...@microsoft.com&g
@hastings.org>; Steve
Dower<mailto:steve.do...@microsoft.com>
Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files
with GnuPG?
So, AFAIU from this discussion:
* Authenticode does not have a PKI
* GPG does have PKI
* ASC signatures are signed checksums
As far a
On 04.04.2015 16:41, Steve Dower wrote:
> "Relying only on Authenticode for Windows installers would result in a break
> in technology w/r to the downloads we make available for Python, since all
> other files are (usually) GPG signed"
>
> This is the point of this discussion. I'm willing to mak
On Apr 04, 2015, at 02:41 PM, Steve Dower wrote:
>"Relying only on Authenticode for Windows installers would result in a break
>in technology w/r to the downloads we make available for Python, since all
>other files are (usually) GPG signed"
It's the "only" part I have a question about.
Does the
"Relying only on Authenticode for Windows installers would result in a break in
technology w/r to the downloads we make available for Python, since all other
files are (usually) GPG signed"
This is the point of this discussion. I'm willing to make such a break because
I believe Authenticode is
lto:python-dev@python.org>;
python-committers<mailto:python-committ...@python.org>; Larry
Hastings<mailto:la...@hastings.org>; Steve
Dower<mailto:steve.do...@microsoft.com>
Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files
with GnuPG?
So, AFAIU
So, AFAIU from this discussion:
* Authenticode does not have a PKI
* GPG does have PKI
* ASC signatures are signed checksums
As far as downstream packaging on Windows (people who should/could be
subscribed to release ANNs):
For Choclatey NuGet:
* https://chocolatey.org/packages/python
* https:/
On 04.04.2015 02:49, Donald Stufft wrote:
>
>> On Apr 3, 2015, at 6:38 PM, M.-A. Lemburg wrote:
>>
>> On 04.04.2015 00:14, Steve Dower wrote:
>>> The thing is, that's exactly the same goodness as Authenticode gives,
>>> except everyone gets that for free and meanwhile you're the only one who
>>
On Apr 3, 2015 5:50 PM, "Donald Stufft" wrote:
>
>
> > On Apr 3, 2015, at 6:38 PM, M.-A. Lemburg wrote:
> >
> > On 04.04.2015 00:14, Steve Dower wrote:
> >> The thing is, that's exactly the same goodness as Authenticode gives,
except everyone gets that for free and meanwhile you're the only one w
> On Apr 3, 2015, at 6:38 PM, M.-A. Lemburg wrote:
>
> On 04.04.2015 00:14, Steve Dower wrote:
>> The thing is, that's exactly the same goodness as Authenticode gives, except
>> everyone gets that for free and meanwhile you're the only one who has
>> admitted to using GPG on Windows :)
>>
>>
On 04.04.2015 00:14, Steve Dower wrote:
> The thing is, that's exactly the same goodness as Authenticode gives, except
> everyone gets that for free and meanwhile you're the only one who has
> admitted to using GPG on Windows :)
>
> Basically, what I want to hear is that GPG sigs provide signifi
The thing is, that's exactly the same goodness as Authenticode gives, except
everyone gets that for free and meanwhile you're the only one who has admitted
to using GPG on Windows :)
Basically, what I want to hear is that GPG sigs provide significantly better
protection than hashes (and I can p
On 03.04.2015 19:35, Steve Dower wrote:
>> My Windows development days are firmly behind me. So I don't really have an
>> opinion here. So I put it to you, Windows Python developers: do you care
>> about
>> GnuPG signatures on Windows-specific files? Or do you not care?
>
> The later replies seem
On Fri, Apr 3, 2015 at 7:25 AM, Paul Moore wrote:
> On 3 April 2015 at 10:56, Larry Hastings wrote:
>> My Windows development days are firmly behind me. So I don't really have an
>> opinion here. So I put it to you, Windows Python developers: do you care
>> about GnuPG signatures on Windows-spe
On Apr 03, 2015, at 02:56 AM, Larry Hastings wrote:
>My Windows development days are firmly behind me. So I don't really have an
>opinion here. So I put it to you, Windows Python developers: do you care
>about GnuPG signatures on Windows-specific files? Or do you not care?
They're not mutually
On 03.04.2015 11:56, Larry Hastings wrote:
> My Windows development days are firmly behind me. So I don't really have an
> opinion here. So I put
> it to you, Windows Python developers: do you care about GnuPG signatures on
> Windows-specific files?
> Or do you not care?
Regardless of target
34 matches
Mail list logo