Re: [Python-Dev] PEP 487 vs 422 (dynamic class decoration)
On Sat, Apr 4, 2015 at 9:33 PM, Nick Coghlan ncogh...@gmail.com wrote: So actually reading https://gist.github.com/pjeby/75ca26f8d2a7a0c68e30 properly, you're starting to convince me that a noconflict metaclass resolver would be a valuable and viable addition to the Python 3 type system machinery. The future possible language level enhancement would then be to make that automatic resolution of metaclass conflicts part of the *default* metaclass determination process. I realise you've been trying to explain that to me for a few days now, I'm just writing it out explicitly to make it clear I finally get it :) I'm glad you got around to reading it. Sometimes it's really frustrating trying to get things like that across. What's funny is that once I actually 1) wrote that version, and 2) ended up doing a version of six's with_metaclass() function so I could write 2/3 mixed code in DecoratorTools, I realized that there isn't actually any reason why I can't write a Python 2 version of noconflict. Indeed, with a slight change to eliminate ClassType from the metaclass candidate list, the Python 3 version would also work as the Python 2 version: just use it as the explicit __metaclass__, or use with_metaclass, i.e.: class something(base1, base2, ...): __metaclass__ = noconflict # ... or: class something(with_metaclass(noconflict, base1, base2, ...)): # ... And the latter works syntactically from Python 2.3 on up. My apologies for that - while I don't actually recall what I was thinking when I said it, I suspect I was all fired up that PEP 422 was definitely the right answer, and hence thought I'd have an official solution in place for you in fairly short order. I should have let you know explicitly when I started having doubts about it, so you could reassess your porting options. Well, at least it's done now. Clearing up the issue allowed me to spend some time on porting some of the relevant libraries this weekend, where I promptly ran into challenges with several of the *other* features removed from Python 3 (like tuple arguments), but fortunately those are issues more of syntactic convenience than irreplaceable functionality. ;-) ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?
Steve Dower steve.do...@microsoft.com writes: Nathaniel Smith wrote: And I suspect python-dev generally doesn't put much weight on the extra effort required (release managers have all been using gpg for decades, it's pretty trivial) I'm aware of this, but still don't see it as a reason to unnecessarily duplicate process. That's a good argument. But it's one against Authenticode, because that's a single-platform process that duplicates an existing convention to use an open, free standard: OpenPGP certificates. So the demands of “why do we need to duplicate this work?” should be made to Microsoft for choosing to re-invent that long-standing and superior (because open, free-software, and cross-platform) wheel. -- \ “At my lemonade stand I used to give the first glass away free | `\ and charge five dollars for the second glass. The refill | _o__)contained the antidote.” —Emo Philips | Ben Finney ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?
One question, if you will - I don't think this was asked so far - is authenticode verifiable from Linux, without Windows? And does it work for users of WINE ? I've seen some info suggesting that it's verifiable, but you do need to extract the cert and calculate the hash against less than the signed file. Seemed like Mono had a tool for it, but OpenSSL can handle the cert. Currently the new installer doesn't run on Wine because of missing APIs (since I want to discuss alternate distribution ideas I haven't treated this as a priority), and I've heard they haven't implemented enough crypto yet to handle it, but that could be outdated. GPG sigs will provide protection against replay attacks How does this work? Cheers, Steve Top-posted from my Windows Phone From: Robert Collinsmailto:robe...@robertcollins.net Sent: 4/4/2015 21:59 To: Steve Dowermailto:steve.do...@microsoft.com Cc: M.-A. Lemburgmailto:m...@egenix.com; Larry Hastingsmailto:la...@hastings.org; Python Devmailto:python-dev@python.org; python-committersmailto:python-committ...@python.org Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG? On 4 April 2015 at 11:14, Steve Dower steve.do...@microsoft.com wrote: The thing is, that's exactly the same goodness as Authenticode gives, except everyone gets that for free and meanwhile you're the only one who has admitted to using GPG on Windows :) Basically, what I want to hear is that GPG sigs provide significantly better protection than hashes (and I can provide better than MD5 for all files if it's useful), taking into consideration that (I assume) I'd have to obtain a signing key for GPG and unless there's a CA involved like there is for Authenticode, there's no existing trust in that key. GPG sigs will provide protection against replay attacks [unless we're proposing to revoke signatures on old point releases with known security vulnerabilities - something that Window software vendors tend not to do because of the dramatic and immediate effect on the deployed base...] This is not relevant for things we're hosting on SSL, but is if anyone is mirroring our installers around. They dont' seem to be so perhaps its a bit 'meh'. OTOH I also think there is value in consistency: signing all our artifacts makes checking back on them later easier, should we need to. One question, if you will - I don't think this was asked so far - is authenticode verifiable from Linux, without Windows? And does it work for users of WINE ? -Rob -- Robert Collins rbtcoll...@hp.com Distinguished Technologist HP Converged Cloud ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?
On Sun, 05 Apr 2015 01:06:01 -0700 Larry Hastings la...@hastings.org wrote: On 04/04/2015 08:21 PM, Nathaniel Smith wrote: (I guess you could call Larry or someone, read them a hash over the phone, and then have them create the actual gpg signatures.) By sheer coincidence, I believe Steve and I both live in the Seattle area...! Meaning the phone works well enough there? Regards Antoine. ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?
On 04/04/2015 08:21 PM, Nathaniel Smith wrote: (I guess you could call Larry or someone, read them a hash over the phone, and then have them create the actual gpg signatures.) By sheer coincidence, I believe Steve and I both live in the Seattle area...! //arry/ ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?
Nathaniel Smith wrote: And I suspect python-dev generally doesn't put much weight on the extra effort required (release managers have all been using gpg for decades, it's pretty trivial) I'm aware of this, but still don't see it as a reason to unnecessarily duplicate process. or see any reason why Microsoft's internal GPL-hate should have any effect on the PSF's behaviour. Seems the internal GPL-hate has softened even more than I was aware. The history for GPG was spotty, but my request was automatically approved, so I guess the line has been moved far enough away that I've lost that excuse :) Now I just have to find the time to learn how to use it... Cheers, Steve ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com
Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?
On 04/05/2015 06:41 AM, Antoine Pitrou wrote: On Sun, 05 Apr 2015 01:06:01 -0700 Larry Hastings la...@hastings.org wrote: On 04/04/2015 08:21 PM, Nathaniel Smith wrote: (I guess you could call Larry or someone, read them a hash over the phone, and then have them create the actual gpg signatures.) By sheer coincidence, I believe Steve and I both live in the Seattle area...! Meaning the phone works well enough there? Meaning we could do it properly in person. Anyway we're gonna take care of it at PyCon. //arry/ ___ Python-Dev mailing list Python-Dev@python.org https://mail.python.org/mailman/listinfo/python-dev Unsubscribe: https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com