Re: [Python-Dev] PEP 487 vs 422 (dynamic class decoration)

[PJ Eby]

On Sat, Apr 4, 2015 at 9:33 PM, Nick Coghlan  wrote:
> So actually reading https://gist.github.com/pjeby/75ca26f8d2a7a0c68e30
> properly, you're starting to convince me that a "noconflict" metaclass
> resolver would be a valuable and viable addition to the Python 3 type
> system machinery.
>
> The future possible language level enhancement would then be to make
> that automatic resolution of metaclass conflicts part of the *default*
> metaclass determination process. I realise you've been trying to
> explain that to me for a few days now, I'm just writing it out
> explicitly to make it clear I finally get it :)

I'm glad you got around to reading it.  Sometimes it's really
frustrating trying to get things like that across.

What's funny is that once I actually 1) wrote that version, and 2)
ended up doing a version of six's with_metaclass() function so I could
write 2/3 mixed code in DecoratorTools, I realized that there isn't
actually any reason why I can't write a Python 2 version of
noconflict.  Indeed, with a slight change to eliminate ClassType from
the metaclass candidate list, the Python 3 version would also work as
the Python 2 version: just use it as the explicit __metaclass__, or
use with_metaclass, i.e.:

class something(base1, base2, ...):
__metaclass__ = noconflict

# ...

or:

class something(with_metaclass(noconflict, base1, base2, ...)):
# ...

And the latter works syntactically from Python 2.3 on up.


> My apologies for that - while I don't actually recall what I was
> thinking when I said it, I suspect I was all fired up that PEP 422 was
> definitely the right answer, and hence thought I'd have an official
> solution in place for you in fairly short order. I should have let you
> know explicitly when I started having doubts about it, so you could
> reassess your porting options.

Well, at least it's done now.  Clearing up the issue allowed me to
spend some time on porting some of the relevant libraries this
weekend, where I promptly ran into challenges with several of the
*other* features removed from Python 3 (like tuple arguments), but
fortunately those are issues more of syntactic convenience than
irreplaceable functionality.  ;-)
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

[Ben Finney]

Steve Dower  writes:

> Nathaniel Smith wrote:
> > And I suspect python-dev generally doesn't put much weight on the 
> > extra effort required (release managers have all been using gpg for
> > decades, it's pretty trivial)
>
> I'm aware of this, but still don't see it as a reason to unnecessarily
> duplicate process.

That's a good argument. But it's one against Authenticode, because
that's a single-platform process that duplicates an existing convention
to use an open, free standard: OpenPGP certificates.

So the demands of “why do we need to duplicate this work?” should be
made to Microsoft for choosing to re-invent that long-standing and
superior (because open, free-software, and cross-platform) wheel.

-- 
 \  “At my lemonade stand I used to give the first glass away free |
  `\  and charge five dollars for the second glass. The refill |
_o__)contained the antidote.” —Emo Philips |
Ben Finney

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

[Larry Hastings]

On 04/05/2015 06:41 AM, Antoine Pitrou wrote:

On Sun, 05 Apr 2015 01:06:01 -0700
Larry Hastings  wrote:

On 04/04/2015 08:21 PM, Nathaniel Smith wrote:

(I guess you could call Larry or someone, read them a hash over the
phone, and then have them create the actual gpg signatures.)

By sheer coincidence, I believe Steve and I both live in the Seattle
area...!

Meaning the phone works well enough there?


Meaning we could do it properly in person.  Anyway we're gonna take care 
of it at PyCon.



//arry/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

[Steve Dower]

"One question, if you will - I don't think this was asked so far - is
authenticode verifiable from Linux, without Windows? And does it work
for users of WINE ?"

I've seen some info suggesting that it's verifiable, but you do need to extract 
the cert and calculate the hash against less than the signed file. Seemed like 
Mono had a tool for it, but OpenSSL can handle the cert.

Currently the new installer doesn't run on Wine because of missing APIs (since 
I want to discuss alternate distribution ideas I haven't treated this as a 
priority), and I've heard they haven't implemented enough crypto yet to handle 
it, but that could be outdated.

"GPG sigs will provide protection against replay attacks"

How does this work?

Cheers,
Steve

Top-posted from my Windows Phone

From: Robert Collins
Sent: ‎4/‎4/‎2015 21:59
To: Steve Dower
Cc: M.-A. Lemburg; Larry 
Hastings; Python Dev; 
python-committers
Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files 
with GnuPG?

On 4 April 2015 at 11:14, Steve Dower  wrote:
> The thing is, that's exactly the same goodness as Authenticode gives, except
> everyone gets that for free and meanwhile you're the only one who has
> admitted to using GPG on Windows :)
>
> Basically, what I want to hear is that GPG sigs provide significantly better
> protection than hashes (and I can provide better than MD5 for all files if
> it's useful), taking into consideration that (I assume) I'd have to obtain a
> signing key for GPG and unless there's a CA involved like there is for
> Authenticode, there's no existing trust in that key.

GPG sigs will provide protection against replay attacks [unless we're
proposing to revoke signatures on old point releases with known
security vulnerabilities - something that Window software vendors tend
not to do because of the dramatic and immediate effect on the deployed
base...]

This is not relevant for things we're hosting on SSL, but is if anyone
is mirroring our installers around. They dont' seem to be so perhaps
its a bit 'meh'.

OTOH I also think there is value in consistency: signing all our
artifacts makes checking back on them later easier, should we need to.

One question, if you will - I don't think this was asked so far - is
authenticode verifiable from Linux, without Windows? And does it work
for users of WINE ?

-Rob


--
Robert Collins 
Distinguished Technologist
HP Converged Cloud
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

[Antoine Pitrou]

On Sun, 05 Apr 2015 01:06:01 -0700
Larry Hastings  wrote:
> 
> On 04/04/2015 08:21 PM, Nathaniel Smith wrote:
> > (I guess you could call Larry or someone, read them a hash over the
> > phone, and then have them create the actual gpg signatures.)
> 
> By sheer coincidence, I believe Steve and I both live in the Seattle 
> area...!

Meaning the phone works well enough there?

Regards

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

[Steve Dower]

Nathaniel Smith wrote:
> And I suspect python-dev generally doesn't put much weight on the 
> extra effort required (release managers have all been using gpg for
> decades, it's pretty trivial)

I'm aware of this, but still don't see it as a reason to unnecessarily 
duplicate process.

> or see any reason why Microsoft's internal GPL-hate should have any
> effect on the PSF's behaviour.

Seems the "internal GPL-hate" has softened even more than I was aware. The 
history for GPG was spotty, but my request was automatically approved, so I 
guess the line has been moved far enough away that I've lost that excuse :)

Now I just have to find the time to learn how to use it...

Cheers,
Steve
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

[Larry Hastings]

On 04/04/2015 08:21 PM, Nathaniel Smith wrote:

(I guess you could call Larry or someone, read them a hash over the
phone, and then have them create the actual gpg signatures.)


By sheer coincidence, I believe Steve and I both live in the Seattle 
area...!



//arry/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com