<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Apr 3, 2013, at 3:23 PM, Laurens Van Houtven <_@lvh.cc> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Apr 4, 2013 at 12:04 AM, Glyph <span dir="ltr"><<a href="mailto:glyph@twistedmatrix.com" target="_blank">glyph@twistedmatrix.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The release manager already _does_ sign something. Since PyCon, we do have much better trust web integration, which is great, but that's not really relevant to this discussion, which is just about changing what we sign and how it gets signed.<br>
<div class="im"></div></blockquote><div><br></div><div>Yes, sorry; I thought there were just a bunch of hashes in a file somewhere, and forgot they were signed.<br></div><div> <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I think we should carry on with signing the list of signatures for now, and just upgrade the hash algorithm. Baby steps. Perhaps there are some theoretical benefits that come from signing the whole binary blob, but that's a much bigger change for a much smaller benefit.<br>
<br>
If anyone does have an interest in us doing this, I think the first step would be to write up a clear explanation of how it should be done.<span class="HOEnZb"><font color="#888888"><br></font></span></blockquote><div><br>
</div><div>I agree. Can't we just replace "md5sum" in the command line with "shasum -a 512"? Do we need a grace period where we deliver both the MD5 and SHA512 sums? (Perhaps there's an automated system out there that relies on the MD5 version being available, since that's all we have now.)<br>
</div></div></div></div></blockquote><div><br></div>Signing both certainly doesn't create any problems. I just have no idea what automation stuff parses this file as part of our _own_ release process. I was hoping someone who knew how it worked could examine it and tell me.</div><div><br></div><div>-glyph<br><br></div><div><br></div><br></body></html>