[SciPy-Dev] [Numpy-discussion] scipy 0.18 release candidate 1
Charles R Harris
charlesr.harris at gmail.com
Thu Jun 23 18:36:42 EDT 2016
On Thu, Jun 23, 2016 at 1:34 PM, Evgeni Burovski <evgeny.burovskiy at gmail.com
> wrote:
> OK, here's what I'm going to do: I'll download the wheels from
> Matthew's build farm, checksum them along with the source tarballs,
> and add the checksums to the README file which is clearsigned with my
> PGP signature.
> That file gets uploaded to PyPI, Github releases and sent along with
> the release announcement to a bunch of mailing lists.
> (like this,
> https://mail.scipy.org/pipermail/scipy-dev/2016-January/021189.html)
>
> AFAICS, this would cover the main vectors, apart from (i) the build
> farm producing malicious stuff, (ii) RM or RM's laptop doing what it
> shouldn't be doing, or (iii) someone patching the wheels en route from
> the build farm to RM's laptop.
>
> I don't see how to address two first points or whether we actually
> need to address those. The third one can be taken care of by
> checksumming the wheels on the build farm, so that RM can verify them
> on before uploading.
>
> This is probably not too hard to do with some tweaks to MacPython's
> build scripts and/or terryfy download machinery Matthew described
> upthread (I'm still to figure out how to use that machinery, but
> that's separate).
>
I think there were problems with the terryfy machinery and signing, I asked
Mathew about that before re NumPy. If you just download the built wheels,
you can use twine to upload them with signatures, same with source files.
<snip>
Chuck
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/scipy-dev/attachments/20160623/0fda9d4b/attachment.html>
More information about the SciPy-Dev
mailing list