On 09Feb2016 1030, M.-A. Lemburg wrote:
On 09.02.2016 18:41, Jeff Hardy wrote:
On Mon, Feb 8, 2016 at 12:34 PM, M.-A. Lemburg <m...@egenix.com> wrote:
To everyone: We now have a PSF code signing certificate.
I have sent the certificate to Steve for use in the Windows
installers. If other developers need to create signed
installers/code for Python, please let me know.
Hi Marc-Andre,
Would it be possible to use it for IronPython as well?
I don't know. Steve is using it as Authenticode certificate,
[SNIP]
It will certainly work for signing executables and msi
installers.
Perhaps Steve can help with this.
There are three aspects to this: technical, political and security.
Technically, yes IronPython could absolutely be signed with the same
certificate.
Politically, it requires the PSF to be willing to put their name to the
safety of the signed binaries and installers. Essentially, if/when
something bad is done with or via something signed by the PSF, there is
an implied responsibility (no idea how legally enforceable it is). I am
not in a position to say whether or not this is okay for IronPython.
Security-wise, it is very important to minimize the number of people who
have access to the certificate. Code signed with this certificate is
basically given a free pass by most virus scanners and security software.
If we decide to start signing IronPython with the PSF certificate, I'd
be most comfortable if I were doing the builds to avoid sharing the
certificate any further than needed. But that isn't going to scale when
all the other interpreters want equal treatment.
I'm not sure exactly what the cost of the certificate is to the PSF, but
it may be an expense they're willing to take to get separate certs?
Cheers,
Steve
_______________________________________________
python-committers mailing list
python-committers@python.org
https://mail.python.org/mailman/listinfo/python-committers
