[SciPy-Dev] [Numpy-discussion] scipy 0.18 release candidate 1

Matthew Brett matthew.brett at gmail.com
Thu Jun 23 18:43:52 EDT 2016 

Hi,

On Thu, Jun 23, 2016 at 3:36 PM, Charles R Harris
<charlesr.harris at gmail.com> wrote:
>
>
> On Thu, Jun 23, 2016 at 1:34 PM, Evgeni Burovski
> <evgeny.burovskiy at gmail.com> wrote:
>>
>> OK, here's what I'm going to do: I'll download the wheels from
>> Matthew's build farm, checksum them along with the source tarballs,
>> and add the checksums to the README file which is clearsigned with my
>> PGP signature.
>> That file gets uploaded to PyPI, Github releases and sent along with
>> the release announcement to a bunch of mailing lists.
>> (like this,
>> https://mail.scipy.org/pipermail/scipy-dev/2016-January/021189.html)
>>
>> AFAICS, this would cover the main vectors, apart from (i) the build
>> farm producing malicious stuff, (ii) RM or RM's laptop doing what it
>> shouldn't be doing, or (iii) someone patching the wheels en route from
>> the build farm to RM's laptop.
>>
>> I don't see how to address two first points or whether we actually
>> need to address those. The third one can be taken care of by
>> checksumming the wheels on the build farm, so that RM can verify them
>> on before uploading.
>>
>> This is probably not too hard to do with some tweaks to MacPython's
>> build scripts and/or terryfy download machinery Matthew described
>> upthread (I'm still to figure out how to use that machinery, but
>> that's separate).
>
>
> I think there were problems with the terryfy machinery and signing, I asked
> Mathew about that before re NumPy. If you just download the built wheels,
> you can use twine to upload them with signatures, same with source files.

There were - I think that was to do with twine not accepting the flag
as it should - but it appears to work now.  For example, this command:

python terryfy/wheel-uploader  -r warehouse -v -s -t manylinux1 scipy 0.18.0rc1

has the `-s` flag which gets passed into twine, and so prompts you to
sign each wheel.

It would also be a good idea to prefer the https URL for the wheels, as in:

python terryfy/wheel-uploader -u
https://3f23b170c54c2533c070-1c8a9b3114517dc5fe17b7c3f8c63a43.ssl.cf2.rackcdn.com
-r warehouse -v -s -t manylinux1 scipy 0.18.0rc1

although the https directory listing and files appear to be updated
later than then http directory.

Cheers,

Matthew

More information about the SciPy-Dev mailing list