Paul Moore <p.f.moore <at> gmail.com> writes: > Signed binaries may be a solution. My experience with signed binaries > has not been exactly positive, but it's an option. Presumably PyPI > would be the trusted authority? Would PyPI and the downloaders need to > use SSL? Would developers need to have signing keys to use PyPI? And > more to the point, do the people designing the packaging solutions > have experience with this sort of stuff (I sure don't )?
I'm curious - what problems have you had with signed binaries? I dipped my toes in this particular pool with the Python launcher installers - I got a code signing certificate and signed my MSIs with it. The process was fairly painless. As far as I know, all signing does is to indicate that the binary package hasn't been tampered with and allows the downloader to decide whether they trust the signer not to have allowed backdoors, etc. I don't see that it mandates use of SSL, or even signing, by anyone. At least some people will require that an installer be invokable with an option that causes it to bail if any part of what's being installed can't be verified (for some value of "verified"). Regards, Vinay Sajip _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
