[Twisted-Python] Release questions

exarkun at twistedmatrix.com exarkun at twistedmatrix.com
Wed Apr 3 16:51:41 EDT 2013


On 04:36 pm, _ at lvh.cc wrote:
>On Wed, Apr 3, 2013 at 6:14 PM, Thomas Hervé <therve at free.fr> wrote:
>>  * Glyph mumbled something about sha sums of the release files, 
>>instead
>>of md5. Should we pursue that? We may need to update some trac
>>integration code.
>
>Depends, what's the goal of the checksums? If it's "we want people to 
>be
>able to check that the tarball they have is in fact the release and not
>something tainted by patches or malware", perhaps we either should have 
>a
>Twisted signing key, or have the release manager sign the release 
>instead
>(especially since we have a lot of signatures since PyCon :)).

The question relates to step 4 beneath "Cut the tarballs & installers":

http://twistedmatrix.com/trac/wiki/ReleaseProcess#Cutthetarballsinstallers

The checksums are intended to let people verify their download was 
neither accidentally corrupted nor intentionally tampered with.

I think the original motivation for signing some checksums instead of 
signing the release artifacts was something like:

  * gpg is a pain to use, signing one thing is nicer than signing 30 
things
  * lots of people do not care about cryptographic concerns here, and the 
checksum is good enough for them

Generating and signing a single document containing checksums of all the 
files is less work for the release manager and offers both possible 
audiences some value.

Perhaps it's a round-about way to achieve those goals, though.  Is there 
something simpler that we could do that wouldn't make releases harder or 
kick sand in the eyes of people just trying to make sure their ethernet 
card didn't hiccup?

Jean-Paul



More information about the Twisted-Python mailing list