[Twisted-Python] Release questions

Laurens Van Houtven _ at lvh.cc
Wed Apr 3 17:58:44 EDT 2013

On Wed, Apr 3, 2013 at 10:51 PM, <exarkun at twistedmatrix.com> wrote:

> The question relates to step 4 beneath "Cut the tarballs & installers":
> http://twistedmatrix.com/trac/wiki/ReleaseProcess#Cutthetarballsinstallers
> The checksums are intended to let people verify their download was
> neither accidentally corrupted nor intentionally tampered with.

Is the accidental corruption thing a real risk? I thought that was the
point of, say, TCP checksums :) Perhaps I'm just mistaken as to how often
his happens in the wild...

> I think the original motivation for signing some checksums instead of
> signing the release artifacts was something like:
>   * gpg is a pain to use, signing one thing is nicer than signing 30
> things
>   * lots of people do not care about cryptographic concerns here, and the
> checksum is good enough for them

Okay, fair enough. I'm a little worried about the "I don't care about the
cryptography" part, if a user is consciously choosing that, fine; but what
if they think they're doing something (verifying the integrity of the
Twisted release) when in fact not doing that at all? Perhaps that's even
rarer than the accidental corruption thing I so quickly dismissed just now,
though ;-)

As for gpg being a pain to use, `ls | xargs -n 1 gpg --sign` seems to work
for me provided you have gpg-agent (and have it configured to not need a
signature every time). Is gpg-agent something we don't want to require from
release managers?

Generating and signing a single document containing checksums of all the
> files is less work for the release manager and offers both possible
> audiences some value.
> Perhaps it's a round-about way to achieve those goals, though.  Is there
> something simpler that we could do that wouldn't make releases harder or
> kick sand in the eyes of people just trying to make sure their ethernet
> card didn't hiccup?

Probably not, the current thing seems pretty easy, right? If I understand
correctly, the only complaint is that "MD5 sucks". So if we upgrade that to
SHA-256/512 (SHA-3 would be nice, but plenty of people don't have access to
it yet on the command line...), that'd do it.

I don't think there is anything wrong with a hash sum file, I'm just
concerned that the reasons for *not* having or verifying signatures might
not be that great.

> Jean-Paul

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://twistedmatrix.com/pipermail/twisted-python/attachments/20130403/c32de243/attachment.htm 

More information about the Twisted-Python mailing list