On 14/12/2021 11.56, Yann Droneaud wrote:
I would also argue that OpenPGP signatures are a bad solution in 2021. PGP has not aged well and GnuPG tool has flaws. Better, more modern options like sigstore are still under development, though. We could (and maybe should) provide a SHA256 tag file (sha256sum --tag) and sign it with OpenGPG. The signature of a sha256 checksum file is as good as signing the files directly.Hi,I'm not familiar with the Python release process, but looking at the latest release https://www.python.org/downloads/release/python-3101/ we can see MD5 is still used ... which doesn't sound right in 2021 ... especially since we proved it's possible to build different .tar.gz that have the same MD5 https://twitter.com/ydroneaud/status/1448659749604446211 https://twitter.com/angealbertini/status/1449736035110461443 You would reply there's OpenPGP / GnuPG signature. But then I would like to raise another issue regarding the release process: As the announcement on comp.lang.python.announce /[email protected] doesn't record the release digest / release signature, the operator behind https://www.python.org/downloads/release/python-3101/ are free to change the release content at any time, provided there's a valid signature. And there will no way for us to check the release wasn't modified after the announcement. It would be great ifhttps://www.python.org/dev/peps/pep-0101/ would be improved from the naive: "Write the announcement for the mailing lists. This is the fuzzy bit because not much can be automated. You can use an earlier announcement as a template, but edit it for content!" to require the release announcement to record release archives digests as SHA-2 256 (added point if the announcement is signed), or the armored OpenPGP signatures (but's that a lot of base64 characters).
Christian _______________________________________________ Python-Dev mailing list -- [email protected] To unsubscribe send an email to [email protected] https://mail.python.org/mailman3/lists/python-dev.python.org/ Message archived at https://mail.python.org/archives/list/[email protected]/message/FEQAD752SIWTOBMLVOP2JJV3RFPRJBD4/ Code of Conduct: http://python.org/psf/codeofconduct/