[Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?
M.-A. Lemburg
mal at egenix.com
Sat Apr 4 18:57:28 CEST 2015
On 04.04.2015 16:41, Steve Dower wrote:
> "Relying only on Authenticode for Windows installers would result in a break in technology w/r to the downloads we make available for Python, since all other files are (usually) GPG signed"
>
> This is the point of this discussion. I'm willing to make such a break because I believe Authenticode is so much more convenient for end users that it isn't worth producing GPG signatures. So far, the responses seem to be:
>
> "I'd use them on Windows" x1
> "I'd consider using them on another OS" x2-3
> "Please don't change" everyone else
>
> At least that's the impression I'm getting, so I hope that helps clarify why I'm still not convinced it's that critical.
Just to clarify:
I have absolutely nothing against using Authenticode on Windows :-)
I'm only trying to convince you that *additionally* providing GPG
sigs for Windows downloads is a good thing and we should not stop
doing this, since it makes verification of downloaded files
easier. It's not hard to do, can be automated and provides additional
security which can be verified on any platform, not only Windows.
Cheers,
--
Marc-Andre Lemburg
eGenix.com
Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ... http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ... http://python.egenix.com/
________________________________________________________________________
::: Try our new mxODBC.Connect Python Database Interface for free ! ::::
eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
Registered at Amtsgericht Duesseldorf: HRB 46611
http://www.egenix.com/company/contact/
More information about the Python-Dev
mailing list