<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Wed, Apr 3, 2013 at 10:51 PM, <span dir="ltr"><<a href="mailto:exarkun@twistedmatrix.com" target="_blank">exarkun@twistedmatrix.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">The question relates to step 4 beneath "Cut the tarballs & installers":<br>
<br>
<a href="http://twistedmatrix.com/trac/wiki/ReleaseProcess#Cutthetarballsinstallers" target="_blank">http://twistedmatrix.com/trac/wiki/ReleaseProcess#Cutthetarballsinstallers</a><br>
<br>
The checksums are intended to let people verify their download was<br>
neither accidentally corrupted nor intentionally tampered with.<br></blockquote><div><br>Is the accidental corruption thing a real risk? I thought that was the point of, say, TCP checksums :) Perhaps I'm just mistaken as to how often his happens in the wild...<br>
</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I think the original motivation for signing some checksums instead of<br>
signing the release artifacts was something like:<br>
<br>
* gpg is a pain to use, signing one thing is nicer than signing 30<br>
things<br>
* lots of people do not care about cryptographic concerns here, and the<br>
checksum is good enough for them<br></blockquote><div><br></div><div>Okay, fair enough. I'm a little worried about the "I don't care about the cryptography" part, if a user is consciously choosing that, fine; but what if they think they're doing something (verifying the integrity of the Twisted release) when in fact not doing that at all? Perhaps that's even rarer than the accidental corruption thing I so quickly dismissed just now, though ;-)<br>
</div><div><br></div><div>As for gpg being a pain to use, `ls | xargs -n 1 gpg --sign` seems to work for me provided you have gpg-agent (and have it configured to not need a signature every time). Is gpg-agent something we don't want to require from release managers?<br>
</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Generating and signing a single document containing checksums of all the<br>
files is less work for the release manager and offers both possible<br>
audiences some value.<br>
<br>
Perhaps it's a round-about way to achieve those goals, though. Is there<br>
something simpler that we could do that wouldn't make releases harder or<br>
kick sand in the eyes of people just trying to make sure their ethernet<br>
card didn't hiccup?<br></blockquote><div><br></div><div>Probably not, the current thing seems pretty easy, right? If I understand correctly, the only complaint is that "MD5 sucks". So if we upgrade that to SHA-256/512 (SHA-3 would be nice, but plenty of people don't have access to it yet on the command line...), that'd do it.<br>
</div><div><br></div><div>I don't think there is anything wrong with a hash sum file, I'm just concerned that the reasons for *not* having or verifying signatures might not be that great.<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Jean-Paul<br></blockquote><div> </div></div>-- <br><div dir="ltr">cheers<div>lvh</div></div>
</div></div>