[Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG? (original) (raw)

M.-A. Lemburg mal at egenix.com
Sat Apr 4 18:57:28 CEST 2015

On 04.04.2015 16:41, Steve Dower wrote:

"Relying only on Authenticode for Windows installers would result in a break in technology w/r to the downloads we make available for Python, since all other files are (usually) GPG signed"

This is the point of this discussion. I'm willing to make such a break because I believe Authenticode is so much more convenient for end users that it isn't worth producing GPG signatures. So far, the responses seem to be: "I'd use them on Windows" x1 "I'd consider using them on another OS" x2-3 "Please don't change" everyone else At least that's the impression I'm getting, so I hope that helps clarify why I'm still not convinced it's that critical.

Just to clarify:

I have absolutely nothing against using Authenticode on Windows :-)

I'm only trying to convince you that additionally providing GPG sigs for Windows downloads is a good thing and we should not stop doing this, since it makes verification of downloaded files easier. It's not hard to do, can be automated and provides additional security which can be verified on any platform, not only Windows.

Cheers,

Marc-Andre Lemburg eGenix.com

Professional Python Services directly from the Source

Python/Zope Consulting and Support ... http://www.egenix.com/ mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/ mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! ::::

eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg Registered at Amtsgericht Duesseldorf: HRB 46611 http://www.egenix.com/company/contact/

More information about the Python-Dev mailing list