[Distutils] PEP 541 - Accepted
Hi All, As the BDFL-Delegate, I’m happy to announce PEP 541 has been accepted. PEP 541 has been voted by the packaging-wg (https://wiki.python.org/psf/P ackagingWG/Charter): - Donald Stufft - Dustin Ingram - Ernest W. Durbin III - Ewa Jodlowska - Kenneth Reitz - Mark Mangoba - Nathaniel J. Smith - Nick Coghlan - Nicole Harris - Sumana Harihareswara Thank you to the packaging-wg and to everyone that has contributed to PEP 541. Best regards, Mark -- Mark Mangoba | PSF IT Manager | Python Software Foundation | mmang...@python.org | python.org | Infrastructure Staff: infrastructure-st...@python.org | GPG: 2DE4 D92B 739C 649B EBB8 CCF6 DC05 E024 5F4C A0D1 ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
Re: [Distutils] Removing wheel signing features from the wheel library
On Fri, Mar 23, 2018, at 6:56 AM, alex.gronh...@nextday.fi wrote: > If someone wanted to make a malicious file, what's preventing them > from modifying the RECORD to match the modified file when there is no > cryptographic signing involved? Right: you need a way to verify RECORD on top of that. Like the signatures, or way to distribute hashes of RECORD files separately. The hashes in RECORD are a foundation for building security systems, not a security system in themselves. Thomas ___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig
Re: [Distutils] Removing wheel signing features from the wheel library
to, 2018-03-22 kello 21:56 +, Thomas Kluyver kirjoitti: > On Thu, Mar 22, 2018, at 9:25 PM, alex.gronh...@nextday.fi wrote: > > > I've been wondering about something – zip files already contain CRC > > based checksums for each the stored file. What benefit is there in > > storing a RECORD file which basically duplicates this > > functionality? > > > > In terms of providing a foundation for security checks, I think CRC > checksums are insufficient - they are meant to detect random data > corruption, not a deliberate effort to make a malicious file. If someone wanted to make a malicious file, what's preventing them from modifying the RECORD to match the modified file when there is no cryptographic signing involved? > > You could simply use a cryptographic hash of the entire wheel zip > file. I guess the advantage of storing file hashes in RECORD is that > they can be checked against the installed code, not just the wheel > package. > > > > ___ > Distutils-SIG maillist - Distutils-SIG@python.org > https://mail.python.org/mailman/listinfo/distutils-sig___ Distutils-SIG maillist - Distutils-SIG@python.org https://mail.python.org/mailman/listinfo/distutils-sig