[SciPy-Dev] [Numpy-discussion] scipy 0.18 release candidate 1
Nathaniel Smith
njs at pobox.com
Tue Jun 21 20:23:59 EDT 2016
On Jun 21, 2016 14:37, "Evgeni Burovski" <evgeny.burovskiy at gmail.com> wrote:
>
> One question --- equally applicable to both pre-release and final
> releases: Security. If we download the wheels from the build farm and
> then upload to PyPI, how can a user check that what they download has
> not be tampered with?
>
> For source tarballs (and previously, Windows installers), we PGP sign
> the git tag and include checksums in the README file. This way they
> can at least verify the checksums.
I'm dubious that this really accomplishes much:
https://caremad.io/2013/07/packaging-signing-not-holy-grail/
But, if you want to include checksums in the README, you can do that by
just downloading the build farm wheels and checksumming them. This doesn't
protect against a compromised build farm, but neither does anything else.
(Even PGP signing doesn't protect you if your release manager's laptop is
compromised, and realistically any laptop that has write permissions on the
repository could add a backdoor with no one noticing, just by pushing it
directly to master with an innocuous commit message.)
OTOH even this crude download and checksum approach does at least make life
more difficult for anyone who tries to compromise the packages later after
the checksum is made.
-n
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/scipy-dev/attachments/20160621/9847f2b4/attachment.html>
More information about the SciPy-Dev
mailing list