[Python-Dev] Status of packaging in 3.3 (original) (raw)
Vinay Sajip vinay_sajip at yahoo.co.uk
Fri Jun 22 14:09:04 CEST 2012
- Previous message: [Python-Dev] Status of packaging in 3.3
- Next message: [Python-Dev] Status of packaging in 3.3
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Paul Moore <p.f.moore gmail.com> writes:
Signed binaries may be a solution. My experience with signed binaries has not been exactly positive, but it's an option. Presumably PyPI would be the trusted authority? Would PyPI and the downloaders need to use SSL? Would developers need to have signing keys to use PyPI? And more to the point, do the people designing the packaging solutions have experience with this sort of stuff (I sure don't )?
I'm curious - what problems have you had with signed binaries? I dipped my toes in this particular pool with the Python launcher installers - I got a code signing certificate and signed my MSIs with it. The process was fairly painless. As far as I know, all signing does is to indicate that the binary package hasn't been tampered with and allows the downloader to decide whether they trust the signer not to have allowed backdoors, etc. I don't see that it mandates use of SSL, or even signing, by anyone. At least some people will require that an installer be invokable with an option that causes it to bail if any part of what's being installed can't be verified (for some value of "verified").
Regards,
Vinay Sajip
- Previous message: [Python-Dev] Status of packaging in 3.3
- Next message: [Python-Dev] Status of packaging in 3.3
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]