[Twisted-Python] Release questions
exarkun at twistedmatrix.com
exarkun at twistedmatrix.com
Wed Apr 3 14:51:41 MDT 2013
On 04:36 pm, _ at lvh.cc wrote:
>On Wed, Apr 3, 2013 at 6:14 PM, Thomas Hervé <therve at free.fr> wrote:
>> * Glyph mumbled something about sha sums of the release files,
>>instead
>>of md5. Should we pursue that? We may need to update some trac
>>integration code.
>
>Depends, what's the goal of the checksums? If it's "we want people to
>be
>able to check that the tarball they have is in fact the release and not
>something tainted by patches or malware", perhaps we either should have
>a
>Twisted signing key, or have the release manager sign the release
>instead
>(especially since we have a lot of signatures since PyCon :)).
The question relates to step 4 beneath "Cut the tarballs & installers":
http://twistedmatrix.com/trac/wiki/ReleaseProcess#Cutthetarballsinstallers
The checksums are intended to let people verify their download was
neither accidentally corrupted nor intentionally tampered with.
I think the original motivation for signing some checksums instead of
signing the release artifacts was something like:
* gpg is a pain to use, signing one thing is nicer than signing 30
things
* lots of people do not care about cryptographic concerns here, and the
checksum is good enough for them
Generating and signing a single document containing checksums of all the
files is less work for the release manager and offers both possible
audiences some value.
Perhaps it's a round-about way to achieve those goals, though. Is there
something simpler that we could do that wouldn't make releases harder or
kick sand in the eyes of people just trying to make sure their ethernet
card didn't hiccup?
Jean-Paul
More information about the Twisted-Python
mailing list