[Twisted-Python] Release questions

Glyph glyph at twistedmatrix.com
Wed Apr 3 18:04:05 EDT 2013 

On Apr 3, 2013, at 1:51 PM, exarkun at twistedmatrix.com wrote:

> On 04:36 pm, _ at lvh.cc wrote:
>> On Wed, Apr 3, 2013 at 6:14 PM, Thomas Hervé <therve at free.fr> wrote:
>>> * Glyph mumbled something about sha sums of the release files, 
>>> instead
>>> of md5. Should we pursue that? We may need to update some trac
>>> integration code.
>> 
>> Depends, what's the goal of the checksums? If it's "we want people to 
>> be
>> able to check that the tarball they have is in fact the release and not
>> something tainted by patches or malware", perhaps we either should have 
>> a
>> Twisted signing key, or have the release manager sign the release 
>> instead
>> (especially since we have a lot of signatures since PyCon :)).

The release manager already _does_ sign something.  Since PyCon, we do have much better trust web integration, which is great, but that's not really relevant to this discussion, which is just about changing what we sign and how it gets signed.

> The question relates to step 4 beneath "Cut the tarballs & installers":
> 
> http://twistedmatrix.com/trac/wiki/ReleaseProcess#Cutthetarballsinstallers
> 
> The checksums are intended to let people verify their download was 
> neither accidentally corrupted nor intentionally tampered with.
> 
> I think the original motivation for signing some checksums instead of 
> signing the release artifacts was something like:
> 
>  * gpg is a pain to use, signing one thing is nicer than signing 30 
> things
>  * lots of people do not care about cryptographic concerns here, and the 
> checksum is good enough for them
> 
> Generating and signing a single document containing checksums of all the 
> files is less work for the release manager and offers both possible 
> audiences some value.
> 
> Perhaps it's a round-about way to achieve those goals, though.  Is there 
> something simpler that we could do that wouldn't make releases harder or 
> kick sand in the eyes of people just trying to make sure their ethernet 
> card didn't hiccup?

Security-wise, signing an actually-secure hash is not that much different than signing the tarballs themselves.  Signing MD5 hashes, on the other hand, is useless as a security measure.

I think we should carry on with signing the list of signatures for now, and just upgrade the hash algorithm.  Baby steps.  Perhaps there are some theoretical benefits that come from signing the whole binary blob, but that's a much bigger change for a much smaller benefit.

If anyone does have an interest in us doing this, I think the first step would be to write up a clear explanation of how it should be done.

-glyph

More information about the Twisted-Python mailing list