[SciPy-Dev] [Numpy-discussion] scipy 0.18 release candidate 1
Evgeni Burovski
evgeny.burovskiy at gmail.com
Thu Jun 23 15:34:21 EDT 2016
OK, here's what I'm going to do: I'll download the wheels from
Matthew's build farm, checksum them along with the source tarballs,
and add the checksums to the README file which is clearsigned with my
PGP signature.
That file gets uploaded to PyPI, Github releases and sent along with
the release announcement to a bunch of mailing lists.
(like this, https://mail.scipy.org/pipermail/scipy-dev/2016-January/021189.html)
AFAICS, this would cover the main vectors, apart from (i) the build
farm producing malicious stuff, (ii) RM or RM's laptop doing what it
shouldn't be doing, or (iii) someone patching the wheels en route from
the build farm to RM's laptop.
I don't see how to address two first points or whether we actually
need to address those. The third one can be taken care of by
checksumming the wheels on the build farm, so that RM can verify them
on before uploading.
This is probably not too hard to do with some tweaks to MacPython's
build scripts and/or terryfy download machinery Matthew described
upthread (I'm still to figure out how to use that machinery, but
that's separate).
On Thu, Jun 23, 2016 at 7:55 PM, Pauli Virtanen <pav at iki.fi> wrote:
> Thu, 23 Jun 2016 11:47:37 -0700, Nathaniel Smith kirjoitti:
> [clip]
>> I believe the question was specifically about wheels that aren't being
>> built by any of those three people though? But anyway, yeah, that is the
>> main situation where this kind of package signing might help, and which
>> I addressed in the second half of the email :-). But note that it would
>> also work just as well to, say, keep a text file in the scipy repo that
>> has the sha256 of every file uploaded to pypi. (Maybe even better,
>> because someone who attacked pypi could delete the PGP signatures to
>> confuse matters, and do you have backups?)
>
> How do I know one of these people pushed the commit that changed the
> checksums to the Scipy repository?
>
> PGP signatures do add stronger guarantees than just trusting Github,
> provided they you know the people whose keys are in question.
>
> _______________________________________________
> SciPy-Dev mailing list
> SciPy-Dev at scipy.org
> https://mail.scipy.org/mailman/listinfo/scipy-dev
More information about the SciPy-Dev
mailing list