subject:"\[Python\-Dev\] \[python\-committers\] Do we need to sign Windows files with GnuPG\?"

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-03 Thread M.-A. Lemburg

On 03.04.2015 11:56, Larry Hastings wrote:
> My Windows development days are firmly behind me.  So I don't really have an 
> opinion here.  So I put
> it to you, Windows Python developers: do you care about GnuPG signatures on 
> Windows-specific files? 
> Or do you not care?

Regardless of target platform, I firmly believe we should (continue to)
GPG sign all distribution files as well as provide hash files/values
for them.

This is very useful to detect corrupted downloads or files which
were not created by the original packagers.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! 

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-03 Thread Barry Warsaw

On Apr 03, 2015, at 02:56 AM, Larry Hastings wrote:

>My Windows development days are firmly behind me.  So I don't really have an
>opinion here.  So I put it to you, Windows Python developers: do you care
>about GnuPG signatures on Windows-specific files?  Or do you not care?

They're not mutually exclusive, so why not do both?

I think the advantage of being able to verify the files on any platform is
useful.

Cheers,
-Barry
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-03 Thread Brian Curtin

On Fri, Apr 3, 2015 at 7:25 AM, Paul Moore  wrote:
> On 3 April 2015 at 10:56, Larry Hastings  wrote:
>> My Windows development days are firmly behind me.  So I don't really have an
>> opinion here.  So I put it to you, Windows Python developers: do you care
>> about GnuPG signatures on Windows-specific files?  Or do you not care?
>
> I don't have a very strong security background, so take my views with
> a pinch of saly, but I see Authenticode as a way of being sure that
> what I *run* is "OK". Whereas a GPG signature lets me check that the
> content of a file is as intended. So there are benefits to both, and I
> thing we should continue to provide GPG signatures. (Disclaimer: I've
> never in my life actually *checked* a GPG signature for a file...)

I haven't been on Windows in a bit, but this is my
understanding/expectation as well.
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-03 Thread M.-A. Lemburg

On 03.04.2015 19:35, Steve Dower wrote:
>> My Windows development days are firmly behind me. So I don't really have an
>> opinion here. So I put it to you, Windows Python developers: do you care 
>> about
>> GnuPG signatures on Windows-specific files? Or do you not care?
> 
> The later replies seem to suggest that they are general goodness that nobody 
> on Windows will use. If someone convinces me (or steamrolls me, that's fine 
> too) that the goodness of GPG is better than a hash then I'll look into 
> adding it into the process. Otherwise I'll happily add hash generation into 
> the upload process (which I'm going to do anyway for the ones displayed on 
> the download page).

FWIW: I regularly check the GPG sigs on all important downloaded
files, regardless of which platform they target, including the
Windows installers for Python or any other Windows installers
I use which provide such sigs.

The reason is simple:
The signature is a proof of authenticity which is not bound to
a particular file format or platform and before running .exes
it's good to know that they were built by the right people and
not manipulated by trojans, viruses or malicious proxies.

Is that a good enough reason to continue providing the GPG
sigs or do you need more proof of goodness ? ;-)

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! 

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-03 Thread Steve Dower

The thing is, that's exactly the same goodness as Authenticode gives, except 
everyone gets that for free and meanwhile you're the only one who has admitted 
to using GPG on Windows :)

Basically, what I want to hear is that GPG sigs provide significantly better 
protection than hashes (and I can provide better than MD5 for all files if it's 
useful), taking into consideration that (I assume) I'd have to obtain a signing 
key for GPG and unless there's a CA involved like there is for Authenticode, 
there's no existing trust in that key.

Cheers,
Steve

Top-posted from my Windows Phone

From: M.-A. Lemburg
Sent: ‎4/‎3/‎2015 10:55
To: Steve Dower; Larry 
Hastings; Python Dev; 
python-committers
Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows files 
with GnuPG?

On 03.04.2015 19:35, Steve Dower wrote:
>> My Windows development days are firmly behind me. So I don't really have an
>> opinion here. So I put it to you, Windows Python developers: do you care 
>> about
>> GnuPG signatures on Windows-specific files? Or do you not care?
>
> The later replies seem to suggest that they are general goodness that nobody 
> on Windows will use. If someone convinces me (or steamrolls me, that's fine 
> too) that the goodness of GPG is better than a hash then I'll look into 
> adding it into the process. Otherwise I'll happily add hash generation into 
> the upload process (which I'm going to do anyway for the ones displayed on 
> the download page).

FWIW: I regularly check the GPG sigs on all important downloaded
files, regardless of which platform they target, including the
Windows installers for Python or any other Windows installers
I use which provide such sigs.

The reason is simple:
The signature is a proof of authenticity which is not bound to
a particular file format or platform and before running .exes
it's good to know that they were built by the right people and
not manipulated by trojans, viruses or malicious proxies.

Is that a good enough reason to continue providing the GPG
sigs or do you need more proof of goodness ? ;-)

--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! 

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-03 Thread M.-A. Lemburg

On 04.04.2015 00:14, Steve Dower wrote:
> The thing is, that's exactly the same goodness as Authenticode gives, except 
> everyone gets that for free and meanwhile you're the only one who has 
> admitted to using GPG on Windows :)
> 
> Basically, what I want to hear is that GPG sigs provide significantly better 
> protection than hashes (and I can provide better than MD5 for all files if 
> it's useful), taking into consideration that (I assume) I'd have to obtain a 
> signing key for GPG and unless there's a CA involved like there is for 
> Authenticode, there's no existing trust in that key.

Hashes only provide checks against file corruption (and then
only if you can trust the hash values). GPG provides all the
benefits of public key encryption on arbitrary files (not just
code).

The main benefit in case of downloadable installers is to
be able to make sure that the files are authentic, meaning that
they were created and signed by the people listed as packagers.

There is no CA infrastructure involved as for SSL certificates
or Authenticode, but it's easy to get the keys from key servers
given the key signatures available from python.org's download
pages.

If you want to sign a package file using GPG, you will need
to create your own key, upload it to the key servers and then
place the signature up on the download page.

Relying only on Authenticode for Windows installers would
result in a break in technology w/r to the downloads we
make available for Python, since all other files are (usually)
GPG signed:

https://www.python.org/ftp/python/3.4.3/

Cheers,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/


::: Try our new mxODBC.Connect Python Database Interface for free ! 


   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/


> Cheers,
> Steve
> 
> Top-posted from my Windows Phone
> 
> From: M.-A. Lemburg
> Sent: ‎4/‎3/‎2015 10:55
> To: Steve Dower; Larry 
> Hastings; Python 
> Dev; 
> python-committers
> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows 
> files with GnuPG?
> 
> On 03.04.2015 19:35, Steve Dower wrote:
>>> My Windows development days are firmly behind me. So I don't really have an
>>> opinion here. So I put it to you, Windows Python developers: do you care 
>>> about
>>> GnuPG signatures on Windows-specific files? Or do you not care?
>>
>> The later replies seem to suggest that they are general goodness that nobody 
>> on Windows will use. If someone convinces me (or steamrolls me, that's fine 
>> too) that the goodness of GPG is better than a hash then I'll look into 
>> adding it into the process. Otherwise I'll happily add hash generation into 
>> the upload process (which I'm going to do anyway for the ones displayed on 
>> the download page).
> 
> FWIW: I regularly check the GPG sigs on all important downloaded
> files, regardless of which platform they target, including the
> Windows installers for Python or any other Windows installers
> I use which provide such sigs.
> 
> The reason is simple:
> The signature is a proof of authenticity which is not bound to
> a particular file format or platform and before running .exes
> it's good to know that they were built by the right people and
> not manipulated by trojans, viruses or malicious proxies.
> 
> Is that a good enough reason to continue providing the GPG
> sigs or do you need more proof of goodness ? ;-)
> 
> --
> Marc-Andre Lemburg
> eGenix.com
> 
> Professional Python Services directly from the Source
 Python/Zope Consulting and Support ...http://www.egenix.com/
 mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
 mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/
> 
> 
> ::: Try our new mxODBC.Connect Python Database Interface for free ! 
> 
> 
>eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>Registered at Amtsgericht Duesseldorf: HRB 46611
>http://www.egenix.com/company/contact/
> 

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-03 Thread Donald Stufft


> On Apr 3, 2015, at 6:38 PM, M.-A. Lemburg  wrote:
> 
> On 04.04.2015 00:14, Steve Dower wrote:
>> The thing is, that's exactly the same goodness as Authenticode gives, except 
>> everyone gets that for free and meanwhile you're the only one who has 
>> admitted to using GPG on Windows :)
>> 
>> Basically, what I want to hear is that GPG sigs provide significantly better 
>> protection than hashes (and I can provide better than MD5 for all files if 
>> it's useful), taking into consideration that (I assume) I'd have to obtain a 
>> signing key for GPG and unless there's a CA involved like there is for 
>> Authenticode, there's no existing trust in that key.
> 
> Hashes only provide checks against file corruption (and then
> only if you can trust the hash values). GPG provides all the
> benefits of public key encryption on arbitrary files (not just
> code).
> 
> The main benefit in case of downloadable installers is to
> be able to make sure that the files are authentic, meaning that
> they were created and signed by the people listed as packagers.
> 
> There is no CA infrastructure involved as for SSL certificates
> or Authenticode, but it's easy to get the keys from key servers
> given the key signatures available from python.org's download
> pages.

FTR if we’re relying on people to get the GPG keys from the download
pages then there’s no additional benefit over just using a hash
published on the same page.

In order to get additional benefit we’d need to get Steve’s key
signed by enough people to get him into the strong set.

> 
> If you want to sign a package file using GPG, you will need
> to create your own key, upload it to the key servers and then
> place the signature up on the download page.
> 
> Relying only on Authenticode for Windows installers would
> result in a break in technology w/r to the downloads we
> make available for Python, since all other files are (usually)
> GPG signed:
> 
> https://www.python.org/ftp/python/3.4.3/
> 
> Cheers,
> --
> Marc-Andre Lemburg
> eGenix.com
> 
> Professional Python Services directly from the Source
 Python/Zope Consulting and Support ...http://www.egenix.com/
 mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
 mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/
> 
> 
> ::: Try our new mxODBC.Connect Python Database Interface for free ! 
> 
> 
>   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>   Registered at Amtsgericht Duesseldorf: HRB 46611
>   http://www.egenix.com/company/contact/
> 
> 
>> Cheers,
>> Steve
>> 
>> Top-posted from my Windows Phone
>> 
>> From: M.-A. Lemburg
>> Sent: ‎4/‎3/‎2015 10:55
>> To: Steve Dower; Larry 
>> Hastings; Python 
>> Dev; 
>> python-committers
>> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows 
>> files with GnuPG?
>> 
>> On 03.04.2015 19:35, Steve Dower wrote:
 My Windows development days are firmly behind me. So I don't really have an
 opinion here. So I put it to you, Windows Python developers: do you care 
 about
 GnuPG signatures on Windows-specific files? Or do you not care?
>>> 
>>> The later replies seem to suggest that they are general goodness that 
>>> nobody on Windows will use. If someone convinces me (or steamrolls me, 
>>> that's fine too) that the goodness of GPG is better than a hash then I'll 
>>> look into adding it into the process. Otherwise I'll happily add hash 
>>> generation into the upload process (which I'm going to do anyway for the 
>>> ones displayed on the download page).
>> 
>> FWIW: I regularly check the GPG sigs on all important downloaded
>> files, regardless of which platform they target, including the
>> Windows installers for Python or any other Windows installers
>> I use which provide such sigs.
>> 
>> The reason is simple:
>> The signature is a proof of authenticity which is not bound to
>> a particular file format or platform and before running .exes
>> it's good to know that they were built by the right people and
>> not manipulated by trojans, viruses or malicious proxies.
>> 
>> Is that a good enough reason to continue providing the GPG
>> sigs or do you need more proof of goodness ? ;-)
>> 
>> --
>> Marc-Andre Lemburg
>> eGenix.com
>> 
>> Professional Python Services directly from the Source
> Python/Zope Consulting and Support ...http://www.egenix.com/
> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/
>> 
>> 
>> ::: Try our new mxO

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-03 Thread Nathaniel Smith

On Apr 3, 2015 5:50 PM, "Donald Stufft"  wrote:
>
>
> > On Apr 3, 2015, at 6:38 PM, M.-A. Lemburg  wrote:
> >
> > On 04.04.2015 00:14, Steve Dower wrote:
> >> The thing is, that's exactly the same goodness as Authenticode gives,
except everyone gets that for free and meanwhile you're the only one who
has admitted to using GPG on Windows :)
> >>
> >> Basically, what I want to hear is that GPG sigs provide significantly
better protection than hashes (and I can provide better than MD5 for all
files if it's useful), taking into consideration that (I assume) I'd have
to obtain a signing key for GPG and unless there's a CA involved like there
is for Authenticode, there's no existing trust in that key.
> >
> > Hashes only provide checks against file corruption (and then
> > only if you can trust the hash values). GPG provides all the
> > benefits of public key encryption on arbitrary files (not just
> > code).
> >
> > The main benefit in case of downloadable installers is to
> > be able to make sure that the files are authentic, meaning that
> > they were created and signed by the people listed as packagers.
> >
> > There is no CA infrastructure involved as for SSL certificates
> > or Authenticode, but it's easy to get the keys from key servers
> > given the key signatures available from python.org's download
> > pages.
>
> FTR if we’re relying on people to get the GPG keys from the download
> pages then there’s no additional benefit over just using a hash
> published on the same page.
>
> In order to get additional benefit we’d need to get Steve’s key
> signed by enough people to get him into the strong set.

I don't think that's true -- e.g. people who download the key for checking
3.5.0 will still have it when 3.5.1 is released, and notice if something
silently changes. In general distributing a key id widely on webpages /
mailing lists / using it consistently over multiple releases all increase
security, even if they fall short of perfect. Even the web of trust isn't
particularly trustworthy, it's just useful because it's harder to attack
two targets (the webserver and the WoT) than it is to attack one.

In any case, getting his key into the strong set ought to be trivial given
that pycon is next week.

-n
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread M.-A. Lemburg

On 04.04.2015 02:49, Donald Stufft wrote:
> 
>> On Apr 3, 2015, at 6:38 PM, M.-A. Lemburg  wrote:
>>
>> On 04.04.2015 00:14, Steve Dower wrote:
>>> The thing is, that's exactly the same goodness as Authenticode gives, 
>>> except everyone gets that for free and meanwhile you're the only one who 
>>> has admitted to using GPG on Windows :)
>>>
>>> Basically, what I want to hear is that GPG sigs provide significantly 
>>> better protection than hashes (and I can provide better than MD5 for all 
>>> files if it's useful), taking into consideration that (I assume) I'd have 
>>> to obtain a signing key for GPG and unless there's a CA involved like there 
>>> is for Authenticode, there's no existing trust in that key.
>>
>> Hashes only provide checks against file corruption (and then
>> only if you can trust the hash values). GPG provides all the
>> benefits of public key encryption on arbitrary files (not just
>> code).
>>
>> The main benefit in case of downloadable installers is to
>> be able to make sure that the files are authentic, meaning that
>> they were created and signed by the people listed as packagers.
>>
>> There is no CA infrastructure involved as for SSL certificates
>> or Authenticode, but it's easy to get the keys from key servers
>> given the key signatures available from python.org's download
>> pages.
> 
> FTR if we’re relying on people to get the GPG keys from the download
> pages then there’s no additional benefit over just using a hash
> published on the same page.

Well, it's still better than just the hashes...

> In order to get additional benefit we’d need to get Steve’s key
> signed by enough people to get him into the strong set.

...but having the key signed by fellow core devs will certainly
add more goodness :-)

>> If you want to sign a package file using GPG, you will need
>> to create your own key, upload it to the key servers and then
>> place the signature up on the download page.
>>
>> Relying only on Authenticode for Windows installers would
>> result in a break in technology w/r to the downloads we
>> make available for Python, since all other files are (usually)
>> GPG signed:
>>
>> https://www.python.org/ftp/python/3.4.3/
>>
>> Cheers,
>> --
>> Marc-Andre Lemburg
>> eGenix.com
>>
>> Professional Python Services directly from the Source
> Python/Zope Consulting and Support ...http://www.egenix.com/
> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/
>> 
>>
>> ::: Try our new mxODBC.Connect Python Database Interface for free ! 
>>
>>
>>   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
>>D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>>   Registered at Amtsgericht Duesseldorf: HRB 46611
>>   http://www.egenix.com/company/contact/
>>
>>
>>> Cheers,
>>> Steve
>>>
>>> Top-posted from my Windows Phone
>>> 
>>> From: M.-A. Lemburg
>>> Sent: ‎4/‎3/‎2015 10:55
>>> To: Steve Dower; Larry 
>>> Hastings; Python 
>>> Dev; 
>>> python-committers
>>> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows 
>>> files with GnuPG?
>>>
>>> On 03.04.2015 19:35, Steve Dower wrote:
> My Windows development days are firmly behind me. So I don't really have 
> an
> opinion here. So I put it to you, Windows Python developers: do you care 
> about
> GnuPG signatures on Windows-specific files? Or do you not care?

 The later replies seem to suggest that they are general goodness that 
 nobody on Windows will use. If someone convinces me (or steamrolls me, 
 that's fine too) that the goodness of GPG is better than a hash then I'll 
 look into adding it into the process. Otherwise I'll happily add hash 
 generation into the upload process (which I'm going to do anyway for the 
 ones displayed on the download page).
>>>
>>> FWIW: I regularly check the GPG sigs on all important downloaded
>>> files, regardless of which platform they target, including the
>>> Windows installers for Python or any other Windows installers
>>> I use which provide such sigs.
>>>
>>> The reason is simple:
>>> The signature is a proof of authenticity which is not bound to
>>> a particular file format or platform and before running .exes
>>> it's good to know that they were built by the right people and
>>> not manipulated by trojans, viruses or malicious proxies.
>>>
>>> Is that a good enough reason to continue providing the GPG
>>> sigs or do you need more proof of goodness ? ;-)
>>>
>>> --
>>> Marc-Andre Lemburg
>>> eGenix.com
>>>
>>> Professional Python Services directly from the Source
>> Python/Zope Consulting and Support ...

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread Wes Turner

So, AFAIU from this discussion:

* Authenticode does not have a PKI
* GPG does have PKI
* ASC signatures are signed checksums

As far as downstream packaging on Windows (people who should/could be
subscribed to release ANNs):

For Choclatey NuGet:

* https://chocolatey.org/packages/python
* https://chocolatey.org/packages/python.x86
* https://chocolatey.org/packages/python2
* https://chocolatey.org/packages/python-x86_32
* https://chocolatey.org/packages/python3

Python(x,y):

* https://code.google.com/p/pythonxy/

For Anaconda (the MS Azure chosen python distribution):

* http://docs.continuum.io/anaconda/install.html#windows-install

...

These should/could/are checking GPG signatures for Windows packages
downstream.

http://www.scipy.org/install.html
On Apr 3, 2015 5:38 PM, "M.-A. Lemburg"  wrote:

> On 04.04.2015 00:14, Steve Dower wrote:
> > The thing is, that's exactly the same goodness as Authenticode gives,
> except everyone gets that for free and meanwhile you're the only one who
> has admitted to using GPG on Windows :)
> >
> > Basically, what I want to hear is that GPG sigs provide significantly
> better protection than hashes (and I can provide better than MD5 for all
> files if it's useful), taking into consideration that (I assume) I'd have
> to obtain a signing key for GPG and unless there's a CA involved like there
> is for Authenticode, there's no existing trust in that key.
>
> Hashes only provide checks against file corruption (and then
> only if you can trust the hash values). GPG provides all the
> benefits of public key encryption on arbitrary files (not just
> code).
>
> The main benefit in case of downloadable installers is to
> be able to make sure that the files are authentic, meaning that
> they were created and signed by the people listed as packagers.
>
> There is no CA infrastructure involved as for SSL certificates
> or Authenticode, but it's easy to get the keys from key servers
> given the key signatures available from python.org's download
> pages.
>
> If you want to sign a package file using GPG, you will need
> to create your own key, upload it to the key servers and then
> place the signature up on the download page.
>
> Relying only on Authenticode for Windows installers would
> result in a break in technology w/r to the downloads we
> make available for Python, since all other files are (usually)
> GPG signed:
>
> https://www.python.org/ftp/python/3.4.3/
>
> Cheers,
> --
> Marc-Andre Lemburg
> eGenix.com
>
> Professional Python Services directly from the Source
> >>> Python/Zope Consulting and Support ...http://www.egenix.com/
> >>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
> >>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/
> 
>
> ::: Try our new mxODBC.Connect Python Database Interface for free ! 
>
>
>eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
> D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
>Registered at Amtsgericht Duesseldorf: HRB 46611
>http://www.egenix.com/company/contact/
>
>
> > Cheers,
> > Steve
> >
> > Top-posted from my Windows Phone
> > 
> > From: M.-A. Lemburg
> > Sent: ‎4/‎3/‎2015 10:55
> > To: Steve Dower; Larry
> Hastings; Python Dev python-dev@python.org>; python-committers python-committ...@python.org>
> > Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows
> files with GnuPG?
> >
> > On 03.04.2015 19:35, Steve Dower wrote:
> >>> My Windows development days are firmly behind me. So I don't really
> have an
> >>> opinion here. So I put it to you, Windows Python developers: do you
> care about
> >>> GnuPG signatures on Windows-specific files? Or do you not care?
> >>
> >> The later replies seem to suggest that they are general goodness that
> nobody on Windows will use. If someone convinces me (or steamrolls me,
> that's fine too) that the goodness of GPG is better than a hash then I'll
> look into adding it into the process. Otherwise I'll happily add hash
> generation into the upload process (which I'm going to do anyway for the
> ones displayed on the download page).
> >
> > FWIW: I regularly check the GPG sigs on all important downloaded
> > files, regardless of which platform they target, including the
> > Windows installers for Python or any other Windows installers
> > I use which provide such sigs.
> >
> > The reason is simple:
> > The signature is a proof of authenticity which is not bound to
> > a particular file format or platform and before running .exes
> > it's good to know that they were built by the right people and
> > not manipulated by trojans, viruses or malicious proxies.
> >
> > Is that a good enough reason to continue providing the GPG
> > sigs or do you need more proof of goodness ?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread Steve Dower

"Authenticode does not have a PKI"

If you got that from this discussion, I need everyone to at least skim read 
this:  https://msdn.microsoft.com/en-us/library/ie/ms537361(v=vs.85).aspx

Authenticode uses the same certificate infrastructure as SSL (note: not the 
same certificates). As I see it, anyone running on Windows has access to 
verification that is at least as good as GPG, and the only people who would 
benefit from GPG sigs are those checking Windows files on another OS or those 
with an existing GPG workflow on Windows (before this thread, I knew nobody who 
used GPG on Windows for anything, so forgive me for thinking this is very rare).

Cheers,
Steve

Top-posted from my Windows Phone

From: Wes Turner<mailto:wes.tur...@gmail.com>
Sent: ‎4/‎4/‎2015 6:42
To: M. -A. Lemburg<mailto:m...@egenix.com>
Cc: Python-Dev<mailto:python-dev@python.org>; 
python-committers<mailto:python-committ...@python.org>; Larry 
Hastings<mailto:la...@hastings.org>; Steve 
Dower<mailto:steve.do...@microsoft.com>
Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files 
with GnuPG?

So, AFAIU from this discussion:

* Authenticode does not have a PKI
* GPG does have PKI
* ASC signatures are signed checksums

As far as downstream packaging on Windows (people who should/could be 
subscribed to release ANNs):

For Choclatey NuGet:

* https://chocolatey.org/packages/python
* https://chocolatey.org/packages/python.x86
* https://chocolatey.org/packages/python2
* https://chocolatey.org/packages/python-x86_32
* https://chocolatey.org/packages/python3

Python(x,y):

* https://code.google.com/p/pythonxy/

For Anaconda (the MS Azure chosen python distribution):

* http://docs.continuum.io/anaconda/install.html#windows-install

...

These should/could/are checking GPG signatures for Windows packages downstream.

http://www.scipy.org/install.html

On Apr 3, 2015 5:38 PM, "M.-A. Lemburg" 
mailto:m...@egenix.com>> wrote:
On 04.04.2015 00:14, Steve Dower wrote:
> The thing is, that's exactly the same goodness as Authenticode gives, except 
> everyone gets that for free and meanwhile you're the only one who has 
> admitted to using GPG on Windows :)
>
> Basically, what I want to hear is that GPG sigs provide significantly better 
> protection than hashes (and I can provide better than MD5 for all files if 
> it's useful), taking into consideration that (I assume) I'd have to obtain a 
> signing key for GPG and unless there's a CA involved like there is for 
> Authenticode, there's no existing trust in that key.

Hashes only provide checks against file corruption (and then
only if you can trust the hash values). GPG provides all the
benefits of public key encryption on arbitrary files (not just
code).

The main benefit in case of downloadable installers is to
be able to make sure that the files are authentic, meaning that
they were created and signed by the people listed as packagers.

There is no CA infrastructure involved as for SSL certificates
or Authenticode, but it's easy to get the keys from key servers
given the key signatures available from python.org<http://python.org>'s download
pages.

If you want to sign a package file using GPG, you will need
to create your own key, upload it to the key servers and then
place the signature up on the download page.

Relying only on Authenticode for Windows installers would
result in a break in technology w/r to the downloads we
make available for Python, since all other files are (usually)
GPG signed:

https://www.python.org/ftp/python/3.4.3/

Cheers,
--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! 

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/

> Cheers,
> Steve
>
> Top-posted from my Windows Phone
> 
> From: M.-A. Lemburg<mailto:m...@egenix.com<mailto:m...@egenix.com>>
> Sent: ‎4/‎3/‎2015 10:55
> To: Steve 
> Dower<mailto:steve.do...@microsoft.com<mailto:steve.do...@microsoft.com>>; 
> Larry Hastings<mailto:la...@hastings.org<mailto:la...@hastings.org>>; Python 
> Dev<mailto:python-dev@python.org<mailto:python-dev@python.org>>; 
> python-committers<mailto:

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread Steve Dower

"Relying only on Authenticode for Windows installers would result in a break in 
technology w/r to the downloads we make available for Python, since all other 
files are (usually) GPG signed"

This is the point of this discussion. I'm willing to make such a break because 
I believe Authenticode is so much more convenient for end users that it isn't 
worth producing GPG signatures. So far, the responses seem to be:

"I'd use them on Windows" x1
"I'd consider using them on another OS" x2-3
"Please don't change" everyone else

At least that's the impression I'm getting, so I hope that helps clarify why 
I'm still not convinced it's that critical.

Cheers,
Steve

Top-posted from my Windows Phone

From: M.-A. Lemburg
Sent: ‎4/‎3/‎2015 15:38
To: Steve Dower; Larry 
Hastings; Python Dev; 
python-committers
Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows files 
with GnuPG?

On 04.04.2015 00:14, Steve Dower wrote:
> The thing is, that's exactly the same goodness as Authenticode gives, except 
> everyone gets that for free and meanwhile you're the only one who has 
> admitted to using GPG on Windows :)
>
> Basically, what I want to hear is that GPG sigs provide significantly better 
> protection than hashes (and I can provide better than MD5 for all files if 
> it's useful), taking into consideration that (I assume) I'd have to obtain a 
> signing key for GPG and unless there's a CA involved like there is for 
> Authenticode, there's no existing trust in that key.

Hashes only provide checks against file corruption (and then
only if you can trust the hash values). GPG provides all the
benefits of public key encryption on arbitrary files (not just
code).

The main benefit in case of downloadable installers is to
be able to make sure that the files are authentic, meaning that
they were created and signed by the people listed as packagers.

There is no CA infrastructure involved as for SSL certificates
or Authenticode, but it's easy to get the keys from key servers
given the key signatures available from python.org's download
pages.

If you want to sign a package file using GPG, you will need
to create your own key, upload it to the key servers and then
place the signature up on the download page.

Relying only on Authenticode for Windows installers would
result in a break in technology w/r to the downloads we
make available for Python, since all other files are (usually)
GPG signed:

https://www.python.org/ftp/python/3.4.3/

Cheers,
--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! 

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/

> Cheers,
> Steve
>
> Top-posted from my Windows Phone
> 
> From: M.-A. Lemburg
> Sent: ‎4/‎3/‎2015 10:55
> To: Steve Dower; Larry 
> Hastings; Python 
> Dev; 
> python-committers
> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows 
> files with GnuPG?
>
> On 03.04.2015 19:35, Steve Dower wrote:
>>> My Windows development days are firmly behind me. So I don't really have an
>>> opinion here. So I put it to you, Windows Python developers: do you care 
>>> about
>>> GnuPG signatures on Windows-specific files? Or do you not care?
>>
>> The later replies seem to suggest that they are general goodness that nobody 
>> on Windows will use. If someone convinces me (or steamrolls me, that's fine 
>> too) that the goodness of GPG is better than a hash then I'll look into 
>> adding it into the process. Otherwise I'll happily add hash generation into 
>> the upload process (which I'm going to do anyway for the ones displayed on 
>> the download page).
>
> FWIW: I regularly check the GPG sigs on all important downloaded
> files, regardless of which platform they target, including the
> Windows installers for Python or any other Windows installers
> I use which provide such sigs.
>
> The reason is simple:
> The signature is a proof of authenticity which is not bound to
> a particular file format or platform and before running .exes
> it's good to know that they were built by the right people and
> n

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread Barry Warsaw

On Apr 04, 2015, at 02:41 PM, Steve Dower wrote:

>"Relying only on Authenticode for Windows installers would result in a break
>in technology w/r to the downloads we make available for Python, since all
>other files are (usually) GPG signed"

It's the "only" part I have a question about.

Does the use of Authenticode preclude detached GPG signatures of the exe file?
I can't see how it would, but maybe there's something (well, a lot of
somethings ;) I don't know about Windows.

If not, then what's the problem with also providing a GPG signature?

Cheers,
-Barry
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread M.-A. Lemburg

On 04.04.2015 16:41, Steve Dower wrote:
> "Relying only on Authenticode for Windows installers would result in a break 
> in technology w/r to the downloads we make available for Python, since all 
> other files are (usually) GPG signed"
> 
> This is the point of this discussion. I'm willing to make such a break 
> because I believe Authenticode is so much more convenient for end users that 
> it isn't worth producing GPG signatures. So far, the responses seem to be:
> 
> "I'd use them on Windows" x1
> "I'd consider using them on another OS" x2-3
> "Please don't change" everyone else
> 
> At least that's the impression I'm getting, so I hope that helps clarify why 
> I'm still not convinced it's that critical.

Just to clarify:

I have absolutely nothing against using Authenticode on Windows :-)

I'm only trying to convince you that *additionally* providing GPG
sigs for Windows downloads is a good thing and we should not stop
doing this, since it makes verification of downloaded files
easier. It's not hard to do, can be automated and provides additional
security which can be verified on any platform, not only Windows.

Cheers,
-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! 

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread Steve Dower

Small clarification: there certificates *are* the same format as for SSL, and 
OpenSSL it's able to validate them in the same way as well as generate them 
(but not extract embedded ones, AFAICT). But generally SSL certificates are not 
marked as suitable for code signing so you need to buy a separate one.

Both Martin and I have the PSF's code signing cert private key, which is how we 
can sign with the "Python Software Foundation" name. The public key is embedded 
into every signed file, just like an SSL cert is attached to a site or an 
S/MIME cert is embedded in a signed email.

Cheers,
Steve

Top-posted from my Windows Phone

From: Steve Dower<mailto:steve.do...@microsoft.com>
Sent: ‎4/‎4/‎2015 7:25
To: Wes Turner<mailto:wes.tur...@gmail.com>; M. -A. 
Lemburg<mailto:m...@egenix.com>
Cc: python-committers<mailto:python-committ...@python.org>; 
Python-Dev<mailto:python-dev@python.org>
Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows files 
with GnuPG?

"Authenticode does not have a PKI"

If you got that from this discussion, I need everyone to at least skim read 
this:  https://msdn.microsoft.com/en-us/library/ie/ms537361(v=vs.85).aspx

Authenticode uses the same certificate infrastructure as SSL (note: not the 
same certificates). As I see it, anyone running on Windows has access to 
verification that is at least as good as GPG, and the only people who would 
benefit from GPG sigs are those checking Windows files on another OS or those 
with an existing GPG workflow on Windows (before this thread, I knew nobody who 
used GPG on Windows for anything, so forgive me for thinking this is very rare).

Cheers,
Steve

Top-posted from my Windows Phone

From: Wes Turner<mailto:wes.tur...@gmail.com>
Sent: ‎4/‎4/‎2015 6:42
To: M. -A. Lemburg<mailto:m...@egenix.com>
Cc: Python-Dev<mailto:python-dev@python.org>; 
python-committers<mailto:python-committ...@python.org>; Larry 
Hastings<mailto:la...@hastings.org>; Steve 
Dower<mailto:steve.do...@microsoft.com>
Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files 
with GnuPG?

So, AFAIU from this discussion:

* Authenticode does not have a PKI
* GPG does have PKI
* ASC signatures are signed checksums

As far as downstream packaging on Windows (people who should/could be 
subscribed to release ANNs):

For Choclatey NuGet:

* https://chocolatey.org/packages/python
* https://chocolatey.org/packages/python.x86
* https://chocolatey.org/packages/python2
* https://chocolatey.org/packages/python-x86_32
* https://chocolatey.org/packages/python3

Python(x,y):

* https://code.google.com/p/pythonxy/

For Anaconda (the MS Azure chosen python distribution):

* http://docs.continuum.io/anaconda/install.html#windows-install

...

These should/could/are checking GPG signatures for Windows packages downstream.

http://www.scipy.org/install.html

On Apr 3, 2015 5:38 PM, "M.-A. Lemburg" 
mailto:m...@egenix.com>> wrote:
On 04.04.2015 00:14, Steve Dower wrote:
> The thing is, that's exactly the same goodness as Authenticode gives, except 
> everyone gets that for free and meanwhile you're the only one who has 
> admitted to using GPG on Windows :)
>
> Basically, what I want to hear is that GPG sigs provide significantly better 
> protection than hashes (and I can provide better than MD5 for all files if 
> it's useful), taking into consideration that (I assume) I'd have to obtain a 
> signing key for GPG and unless there's a CA involved like there is for 
> Authenticode, there's no existing trust in that key.

Hashes only provide checks against file corruption (and then
only if you can trust the hash values). GPG provides all the
benefits of public key encryption on arbitrary files (not just
code).

The main benefit in case of downloadable installers is to
be able to make sure that the files are authentic, meaning that
they were created and signed by the people listed as packagers.

There is no CA infrastructure involved as for SSL certificates
or Authenticode, but it's easy to get the keys from key servers
given the key signatures available from python.org<http://python.org>'s download
pages.

If you want to sign a package file using GPG, you will need
to create your own key, upload it to the key servers and then
place the signature up on the download page.

Relying only on Authenticode for Windows installers would
result in a break in technology w/r to the downloads we
make available for Python, since all other files are (usually)
GPG signed:

https://www.python.org/ftp/python/3.4.3/

Cheers,
--
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...http://www.egenix.com/
>>> mxODBC.Zope.Database

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread Kurt B. Kaiser

For the record, that is a Symantec/Verisign code signing certificate. We
paid $1123 for it last April.  It expires April 2017.

If you don't switch to a different vendor, e.g. startssl, please contact
me for renewal in 2017.

KBK

On Sat, Apr 4, 2015, at 10:35 AM, Steve Dower wrote:
> Small clarification: there certificates *are* the same format as for SSL,
> and OpenSSL it's able to validate them in the same way as well as
> generate them (but not extract embedded ones, AFAICT). But generally SSL
> certificates are not marked as suitable for code signing so you need to
> buy a separate one.
> 
> Both Martin and I have the PSF's code signing cert private key, which is
> how we can sign with the "Python Software Foundation" name. The public
> key is embedded into every signed file, just like an SSL cert is attached
> to a site or an S/MIME cert is embedded in a signed email.
> 
> Cheers,
> Steve
> 
> Top-posted from my Windows Phone
> 
> From: Steve Dower<mailto:steve.do...@microsoft.com>
> Sent: ‎4/‎4/‎2015 7:25
> To: Wes Turner<mailto:wes.tur...@gmail.com>; M. -A.
> Lemburg<mailto:m...@egenix.com>
> Cc: python-committers<mailto:python-committ...@python.org>;
> Python-Dev<mailto:python-dev@python.org>
> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows
> files with GnuPG?
> 
> "Authenticode does not have a PKI"
> 
> If you got that from this discussion, I need everyone to at least skim
> read this: 
> https://msdn.microsoft.com/en-us/library/ie/ms537361(v=vs.85).aspx
> 
> Authenticode uses the same certificate infrastructure as SSL (note: not
> the same certificates). As I see it, anyone running on Windows has access
> to verification that is at least as good as GPG, and the only people who
> would benefit from GPG sigs are those checking Windows files on another
> OS or those with an existing GPG workflow on Windows (before this thread,
> I knew nobody who used GPG on Windows for anything, so forgive me for
> thinking this is very rare).
> 
> Cheers,
> Steve
> 
> Top-posted from my Windows Phone
> 
> From: Wes Turner<mailto:wes.tur...@gmail.com>
> Sent: ‎4/‎4/‎2015 6:42
> To: M. -A. Lemburg<mailto:m...@egenix.com>
> Cc: Python-Dev<mailto:python-dev@python.org>;
> python-committers<mailto:python-committ...@python.org>; Larry
> Hastings<mailto:la...@hastings.org>; Steve
> Dower<mailto:steve.do...@microsoft.com>
> Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows
> files with GnuPG?
> 
> 
> So, AFAIU from this discussion:
> 
> * Authenticode does not have a PKI
> * GPG does have PKI
> * ASC signatures are signed checksums
> 
> As far as downstream packaging on Windows (people who should/could be
> subscribed to release ANNs):
> 
> For Choclatey NuGet:
> 
> * https://chocolatey.org/packages/python
> * https://chocolatey.org/packages/python.x86
> * https://chocolatey.org/packages/python2
> * https://chocolatey.org/packages/python-x86_32
> * https://chocolatey.org/packages/python3
> 
> Python(x,y):
> 
> * https://code.google.com/p/pythonxy/
> 
> For Anaconda (the MS Azure chosen python distribution):
> 
> * http://docs.continuum.io/anaconda/install.html#windows-install
> 
> ...
> 
> These should/could/are checking GPG signatures for Windows packages
> downstream.
> 
> http://www.scipy.org/install.html
> 
> On Apr 3, 2015 5:38 PM, "M.-A. Lemburg"
> mailto:m...@egenix.com>> wrote:
> On 04.04.2015 00:14, Steve Dower wrote:
> > The thing is, that's exactly the same goodness as Authenticode gives, 
> > except everyone gets that for free and meanwhile you're the only one who 
> > has admitted to using GPG on Windows :)
> >
> > Basically, what I want to hear is that GPG sigs provide significantly 
> > better protection than hashes (and I can provide better than MD5 for all 
> > files if it's useful), taking into consideration that (I assume) I'd have 
> > to obtain a signing key for GPG and unless there's a CA involved like there 
> > is for Authenticode, there's no existing trust in that key.
> 
> Hashes only provide checks against file corruption (and then
> only if you can trust the hash values). GPG provides all the
> benefits of public key encryption on arbitrary files (not just
> code).
> 
> The main benefit in case of downloadable installers is to
> be able to make sure that the files are authentic, meaning that
> they were created and signed by the people listed as packagers.
> 
> There is no CA infrast

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread M.-A. Lemburg

On 04.04.2015 21:02, Kurt B. Kaiser wrote:
> For the record, that is a Symantec/Verisign code signing certificate. We
> paid $1123 for it last April.  It expires April 2017.
> 
> If you don't switch to a different vendor, e.g. startssl, please contact
> me for renewal in 2017.

FWIW: The PSF mostly uses StartSSL nowadays and they also support
code signing certificates. Given that this option is a lot cheaper
than Verisign, I think we should switch, unless there are
significant reasons not to. We should revisit this in 2017.

> KBK
> 
> On Sat, Apr 4, 2015, at 10:35 AM, Steve Dower wrote:
>> Small clarification: there certificates *are* the same format as for SSL,
>> and OpenSSL it's able to validate them in the same way as well as
>> generate them (but not extract embedded ones, AFAICT). But generally SSL
>> certificates are not marked as suitable for code signing so you need to
>> buy a separate one.
>>
>> Both Martin and I have the PSF's code signing cert private key, which is
>> how we can sign with the "Python Software Foundation" name. The public
>> key is embedded into every signed file, just like an SSL cert is attached
>> to a site or an S/MIME cert is embedded in a signed email.
>>
>> Cheers,
>> Steve
>>
>> Top-posted from my Windows Phone
>> 
>> From: Steve Dower<mailto:steve.do...@microsoft.com>
>> Sent: ‎4/‎4/‎2015 7:25
>> To: Wes Turner<mailto:wes.tur...@gmail.com>; M. -A.
>> Lemburg<mailto:m...@egenix.com>
>> Cc: python-committers<mailto:python-committ...@python.org>;
>> Python-Dev<mailto:python-dev@python.org>
>> Subject: Re: [python-committers] [Python-Dev] Do we need to sign Windows
>> files with GnuPG?
>>
>> "Authenticode does not have a PKI"
>>
>> If you got that from this discussion, I need everyone to at least skim
>> read this: 
>> https://msdn.microsoft.com/en-us/library/ie/ms537361(v=vs.85).aspx
>>
>> Authenticode uses the same certificate infrastructure as SSL (note: not
>> the same certificates). As I see it, anyone running on Windows has access
>> to verification that is at least as good as GPG, and the only people who
>> would benefit from GPG sigs are those checking Windows files on another
>> OS or those with an existing GPG workflow on Windows (before this thread,
>> I knew nobody who used GPG on Windows for anything, so forgive me for
>> thinking this is very rare).
>>
>> Cheers,
>> Steve
>>
>> Top-posted from my Windows Phone
>> ________
>> From: Wes Turner<mailto:wes.tur...@gmail.com>
>> Sent: ‎4/‎4/‎2015 6:42
>> To: M. -A. Lemburg<mailto:m...@egenix.com>
>> Cc: Python-Dev<mailto:python-dev@python.org>;
>> python-committers<mailto:python-committ...@python.org>; Larry
>> Hastings<mailto:la...@hastings.org>; Steve
>> Dower<mailto:steve.do...@microsoft.com>
>> Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows
>> files with GnuPG?
>>
>>
>> So, AFAIU from this discussion:
>>
>> * Authenticode does not have a PKI
>> * GPG does have PKI
>> * ASC signatures are signed checksums
>>
>> As far as downstream packaging on Windows (people who should/could be
>> subscribed to release ANNs):
>>
>> For Choclatey NuGet:
>>
>> * https://chocolatey.org/packages/python
>> * https://chocolatey.org/packages/python.x86
>> * https://chocolatey.org/packages/python2
>> * https://chocolatey.org/packages/python-x86_32
>> * https://chocolatey.org/packages/python3
>>
>> Python(x,y):
>>
>> * https://code.google.com/p/pythonxy/
>>
>> For Anaconda (the MS Azure chosen python distribution):
>>
>> * http://docs.continuum.io/anaconda/install.html#windows-install
>>
>> ...
>>
>> These should/could/are checking GPG signatures for Windows packages
>> downstream.
>>
>> http://www.scipy.org/install.html
>>
>> On Apr 3, 2015 5:38 PM, "M.-A. Lemburg"
>> mailto:m...@egenix.com>> wrote:
>> On 04.04.2015 00:14, Steve Dower wrote:
>>> The thing is, that's exactly the same goodness as Authenticode gives, 
>>> except everyone gets that for free and meanwhile you're the only one who 
>>> has admitted to using GPG on Windows :)
>>>
>>> Basically, what I want to hear is that GPG sigs provide significantly 
>>> better protection than hashes (and I can provide better than MD5 for all 
>>> files if it's

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread Kurt B. Kaiser



On Sat, Apr 4, 2015, at 03:35 PM, M.-A. Lemburg wrote:
> On 04.04.2015 21:02, Kurt B. Kaiser wrote:
> > For the record, that is a Symantec/Verisign code signing
> > certificate. We paid $1123 for it last April.  It expires
> > April 2017.
> >
> > If you don't switch to a different vendor, e.g. startssl, please
> > contact me for renewal in 2017.
>
> FWIW: The PSF mostly uses StartSSL nowadays and they also support code
> signing certificates. Given that this option is a lot cheaper than
> Verisign, I think we should switch, unless there are significant
> reasons not to. We should revisit this in 2017.

Agree - apparently the starlssl process for getting a signing cert is
complex/obscure, so we should start early.

Let me know if I can help providing PSF organization verification.

KBK
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread M.-A. Lemburg

On 04.04.2015 21:49, Kurt B. Kaiser wrote:
> 
> 
> On Sat, Apr 4, 2015, at 03:35 PM, M.-A. Lemburg wrote:
>> On 04.04.2015 21:02, Kurt B. Kaiser wrote:
>>> For the record, that is a Symantec/Verisign code signing
>>> certificate. We paid $1123 for it last April.  It expires
>>> April 2017.
>>>
>>> If you don't switch to a different vendor, e.g. startssl, please
>>> contact me for renewal in 2017.
>>
>> FWIW: The PSF mostly uses StartSSL nowadays and they also support code
>> signing certificates. Given that this option is a lot cheaper than
>> Verisign, I think we should switch, unless there are significant
>> reasons not to. We should revisit this in 2017.
> 
> Agree - apparently the starlssl process for getting a signing cert is
> complex/obscure, so we should start early.

Not really. Once you have the org verification it's really easy.

> Let me know if I can help providing PSF organization verification.

I already completed that for the current cycle.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source
>>> Python/Zope Consulting and Support ...http://www.egenix.com/
>>> mxODBC.Zope.Database.Adapter ... http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/

::: Try our new mxODBC.Connect Python Database Interface for free ! 

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread Kurt B. Kaiser



On Sat, Apr 4, 2015, at 03:54 PM, M.-A. Lemburg wrote:
> On 04.04.2015 21:49, Kurt B. Kaiser wrote:
> > 
> > 
> > On Sat, Apr 4, 2015, at 03:35 PM, M.-A. Lemburg wrote:
> >> On 04.04.2015 21:02, Kurt B. Kaiser wrote:
> >>> For the record, that is a Symantec/Verisign code signing
> >>> certificate. We paid $1123 for it last April.  It expires
> >>> April 2017.
> >>>
> >>> If you don't switch to a different vendor, e.g. startssl, please
> >>> contact me for renewal in 2017.
> >>
> >> FWIW: The PSF mostly uses StartSSL nowadays and they also support code
> >> signing certificates. Given that this option is a lot cheaper than
> >> Verisign, I think we should switch, unless there are significant
> >> reasons not to. We should revisit this in 2017.
> > 
> > Agree - apparently the starlssl process for getting a signing cert is
> > complex/obscure, so we should start early.
> 
> Not really. Once you have the org verification it's really easy.
> 
> > Let me know if I can help providing PSF organization verification.
> 
> I already completed that for the current cycle.

One can hope.  We shall see :-)

KBK
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread Steve Dower

There's no problem, per se, but initially it was less trouble to use the 
trusted PSF certificate and native support than to add an extra step using a 
program I don't already use and trust, am restricted in use by my employer 
(because of the license and the fact there are alternatives), and developing 
the trust in a brand new certificate.

Eventually the people saying "do it" will win through sheer persistence, since 
I'll get sick of trying to get a more detailed response and just concede. Not 
sure if that's how we want to be running the project though...

Top-posted from my Windows Phone

From: Barry Warsaw<mailto:ba...@python.org>
Sent: ‎4/‎4/‎2015 9:11
To: python-dev@python.org<mailto:python-dev@python.org>
Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files 
with GnuPG?

On Apr 04, 2015, at 02:41 PM, Steve Dower wrote:

>"Relying only on Authenticode for Windows installers would result in a break
>in technology w/r to the downloads we make available for Python, since all
>other files are (usually) GPG signed"

It's the "only" part I have a question about.

Does the use of Authenticode preclude detached GPG signatures of the exe file?
I can't see how it would, but maybe there's something (well, a lot of
somethings ;) I don't know about Windows.

If not, then what's the problem with also providing a GPG signature?

Cheers,
-Barry
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/steve.dower%40microsoft.com
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread Nathaniel Smith

On Sat, Apr 4, 2015 at 6:07 PM, Steve Dower  wrote:
> There's no problem, per se, but initially it was less trouble to use the
> trusted PSF certificate and native support than to add an extra step using a
> program I don't already use and trust, am restricted in use by my employer
> (because of the license and the fact there are alternatives), and developing
> the trust in a brand new certificate.
>
> Eventually the people saying "do it" will win through sheer persistence,
> since I'll get sick of trying to get a more detailed response and just
> concede. Not sure if that's how we want to be running the project though...

I don't get the impression that there's any particularly detailed
rationale that people aren't giving you; it's just that to the average
python-dev denizen, gpg-signing seems to provide some mild benefits
and with no downside. The certificate trust issue isn't a downside,
just a mild dilution of the upside. And I suspect python-dev generally
doesn't put much weight on the extra effort required (release managers
have all been using gpg for decades, it's pretty trivial), or see any
reason why Microsoft's internal GPL-hate should have any effect on the
PSF's behaviour. Though it's kinda inconvenient for you, obviously. (I
guess you could call Larry or someone, read them a hash over the
phone, and then have them create the actual gpg signatures.)

-n
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-04 Thread Robert Collins

On 4 April 2015 at 11:14, Steve Dower  wrote:
> The thing is, that's exactly the same goodness as Authenticode gives, except
> everyone gets that for free and meanwhile you're the only one who has
> admitted to using GPG on Windows :)
>
> Basically, what I want to hear is that GPG sigs provide significantly better
> protection than hashes (and I can provide better than MD5 for all files if
> it's useful), taking into consideration that (I assume) I'd have to obtain a
> signing key for GPG and unless there's a CA involved like there is for
> Authenticode, there's no existing trust in that key.

GPG sigs will provide protection against replay attacks [unless we're
proposing to revoke signatures on old point releases with known
security vulnerabilities - something that Window software vendors tend
not to do because of the dramatic and immediate effect on the deployed
base...]

This is not relevant for things we're hosting on SSL, but is if anyone
is mirroring our installers around. They dont' seem to be so perhaps
its a bit 'meh'.

OTOH I also think there is value in consistency: signing all our
artifacts makes checking back on them later easier, should we need to.

One question, if you will - I don't think this was asked so far - is
authenticode verifiable from Linux, without Windows? And does it work
for users of WINE ?

-Rob


-- 
Robert Collins 
Distinguished Technologist
HP Converged Cloud
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-05 Thread Larry Hastings



On 04/04/2015 08:21 PM, Nathaniel Smith wrote:

(I guess you could call Larry or someone, read them a hash over the
phone, and then have them create the actual gpg signatures.)


By sheer coincidence, I believe Steve and I both live in the Seattle 
area...!



//arry/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-05 Thread Steve Dower

Nathaniel Smith wrote:
> And I suspect python-dev generally doesn't put much weight on the 
> extra effort required (release managers have all been using gpg for
> decades, it's pretty trivial)

I'm aware of this, but still don't see it as a reason to unnecessarily 
duplicate process.

> or see any reason why Microsoft's internal GPL-hate should have any
> effect on the PSF's behaviour.

Seems the "internal GPL-hate" has softened even more than I was aware. The 
history for GPG was spotty, but my request was automatically approved, so I 
guess the line has been moved far enough away that I've lost that excuse :)

Now I just have to find the time to learn how to use it...

Cheers,
Steve
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-05 Thread Antoine Pitrou

On Sun, 05 Apr 2015 01:06:01 -0700
Larry Hastings  wrote:
> 
> On 04/04/2015 08:21 PM, Nathaniel Smith wrote:
> > (I guess you could call Larry or someone, read them a hash over the
> > phone, and then have them create the actual gpg signatures.)
> 
> By sheer coincidence, I believe Steve and I both live in the Seattle 
> area...!

Meaning the phone works well enough there?

Regards

Antoine.


___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-05 Thread Steve Dower

"One question, if you will - I don't think this was asked so far - is
authenticode verifiable from Linux, without Windows? And does it work
for users of WINE ?"

I've seen some info suggesting that it's verifiable, but you do need to extract 
the cert and calculate the hash against less than the signed file. Seemed like 
Mono had a tool for it, but OpenSSL can handle the cert.

Currently the new installer doesn't run on Wine because of missing APIs (since 
I want to discuss alternate distribution ideas I haven't treated this as a 
priority), and I've heard they haven't implemented enough crypto yet to handle 
it, but that could be outdated.

"GPG sigs will provide protection against replay attacks"

How does this work?

Cheers,
Steve

Top-posted from my Windows Phone

From: Robert Collins<mailto:robe...@robertcollins.net>
Sent: ‎4/‎4/‎2015 21:59
To: Steve Dower<mailto:steve.do...@microsoft.com>
Cc: M.-A. Lemburg<mailto:m...@egenix.com>; Larry 
Hastings<mailto:la...@hastings.org>; Python Dev<mailto:python-dev@python.org>; 
python-committers<mailto:python-committ...@python.org>
Subject: Re: [Python-Dev] [python-committers] Do we need to sign Windows files 
with GnuPG?

On 4 April 2015 at 11:14, Steve Dower  wrote:
> The thing is, that's exactly the same goodness as Authenticode gives, except
> everyone gets that for free and meanwhile you're the only one who has
> admitted to using GPG on Windows :)
>
> Basically, what I want to hear is that GPG sigs provide significantly better
> protection than hashes (and I can provide better than MD5 for all files if
> it's useful), taking into consideration that (I assume) I'd have to obtain a
> signing key for GPG and unless there's a CA involved like there is for
> Authenticode, there's no existing trust in that key.

GPG sigs will provide protection against replay attacks [unless we're
proposing to revoke signatures on old point releases with known
security vulnerabilities - something that Window software vendors tend
not to do because of the dramatic and immediate effect on the deployed
base...]

This is not relevant for things we're hosting on SSL, but is if anyone
is mirroring our installers around. They dont' seem to be so perhaps
its a bit 'meh'.

OTOH I also think there is value in consistency: signing all our
artifacts makes checking back on them later easier, should we need to.

One question, if you will - I don't think this was asked so far - is
authenticode verifiable from Linux, without Windows? And does it work
for users of WINE ?

-Rob

--
Robert Collins 
Distinguished Technologist
HP Converged Cloud
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-05 Thread Larry Hastings


On 04/05/2015 06:41 AM, Antoine Pitrou wrote:

On Sun, 05 Apr 2015 01:06:01 -0700
Larry Hastings  wrote:

On 04/04/2015 08:21 PM, Nathaniel Smith wrote:

(I guess you could call Larry or someone, read them a hash over the
phone, and then have them create the actual gpg signatures.)

By sheer coincidence, I believe Steve and I both live in the Seattle
area...!

Meaning the phone works well enough there?


Meaning we could do it properly in person.  Anyway we're gonna take care 
of it at PyCon.



//arry/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-05 Thread Ben Finney

Steve Dower  writes:

> Nathaniel Smith wrote:
> > And I suspect python-dev generally doesn't put much weight on the 
> > extra effort required (release managers have all been using gpg for
> > decades, it's pretty trivial)
>
> I'm aware of this, but still don't see it as a reason to unnecessarily
> duplicate process.

That's a good argument. But it's one against Authenticode, because
that's a single-platform process that duplicates an existing convention
to use an open, free standard: OpenPGP certificates.

So the demands of “why do we need to duplicate this work?” should be
made to Microsoft for choosing to re-invent that long-standing and
superior (because open, free-software, and cross-platform) wheel.

-- 
 \  “At my lemonade stand I used to give the first glass away free |
  `\  and charge five dollars for the second glass. The refill |
_o__)contained the antidote.” —Emo Philips |
Ben Finney

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-16 Thread Martin v. Löwis

Am 04.04.15 um 21:54 schrieb M.-A. Lemburg:
>>> FWIW: The PSF mostly uses StartSSL nowadays and they also support code
>>> signing certificates. Given that this option is a lot cheaper than
>>> Verisign, I think we should switch, unless there are significant
>>> reasons not to. We should revisit this in 2017.
>>
>> Agree - apparently the starlssl process for getting a signing cert is
>> complex/obscure, so we should start early.
> 
> Not really. Once you have the org verification it's really easy.
> 
>> Let me know if I can help providing PSF organization verification.
> 
> I already completed that for the current cycle.
> 

I had asked the PSF for a StartSSL certificate when the previous
certificate expired, and the PSF was not able to provide one. After
waiting several weeks for the PSF to provide the certificate, Kurt then
kindly went to Verisign.

Kind regards,
Martin

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-16 Thread Martin v. Löwis

Am 05.04.15 um 06:43 schrieb Steve Dower:
> Now I just have to find the time to learn how to use it...

I always sign with Kleopatra on Windows. It's really simple: just drag
all files you want to sign onto it, configure "detached" signatures, and
it will place the signature next to the original file.

Regards,
Martin

___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-16 Thread M.-A. Lemburg

On 16.04.2015 21:34, "Martin v. Löwis" wrote:
> Am 04.04.15 um 21:54 schrieb M.-A. Lemburg:
 FWIW: The PSF mostly uses StartSSL nowadays and they also support code
 signing certificates. Given that this option is a lot cheaper than
 Verisign, I think we should switch, unless there are significant
 reasons not to. We should revisit this in 2017.
>>>
>>> Agree - apparently the starlssl process for getting a signing cert is
>>> complex/obscure, so we should start early.
>>
>> Not really. Once you have the org verification it's really easy.
>>
>>> Let me know if I can help providing PSF organization verification.
>>
>> I already completed that for the current cycle.
>>
> 
> I had asked the PSF for a StartSSL certificate when the previous
> certificate expired, and the PSF was not able to provide one. After
> waiting several weeks for the PSF to provide the certificate, Kurt then
> kindly went to Verisign.

When was that ? I never received such a request. The account
I'm using was created in Dec 2014 and the validation received
on 2014-12-17. This is valid for about a year:

https://wiki.python.org/psf/PSF%20SSL%20Certificates

Code signing certificates are valid for two years, so switching
to StartSSL probably doesn't make much sense now, unless perhaps
we want to switch to SHA2 and longer RSA keys (if that's possible for
code signing certs - I'd have to check).

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Apr 17 2015)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> mxODBC Plone/Zope Database Adapter ...   http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/

: Try our mxODBC.Connect Python Database Interface for free ! ::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-17 Thread Martin v. Löwis

Am 17.04.15 um 00:46 schrieb M.-A. Lemburg:
>> I had asked the PSF for a StartSSL certificate when the previous
>> certificate expired, and the PSF was not able to provide one. After
>> waiting several weeks for the PSF to provide the certificate, Kurt then
>> kindly went to Verisign.
> 
> When was that ? I never received such a request. 

I sent the request to Jesse Noller, Noah Kantrowitz and Kurt Kaiser on
2014-03-17. On 2014-04-15, Jesse indicated that he had given up.

Regards,
Martin
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

2015-04-17 Thread M.-A. Lemburg

On 17.04.2015 19:31, "Martin v. Löwis" wrote:
> Am 17.04.15 um 00:46 schrieb M.-A. Lemburg:
>>> I had asked the PSF for a StartSSL certificate when the previous
>>> certificate expired, and the PSF was not able to provide one. After
>>> waiting several weeks for the PSF to provide the certificate, Kurt then
>>> kindly went to Verisign.
>>
>> When was that ? I never received such a request. 
> 
> I sent the request to Jesse Noller, Noah Kantrowitz and Kurt Kaiser on
> 2014-03-17. On 2014-04-15, Jesse indicated that he had given up.

I guess that explains why nothing happened. Jesse owned the StartSSL
account before I took over in Dec last year.

-- 
Marc-Andre Lemburg
eGenix.com

Professional Python Services directly from the Source  (#1, Apr 17 2015)
>>> Python Projects, Coaching and Consulting ...  http://www.egenix.com/
>>> mxODBC Plone/Zope Database Adapter ...   http://zope.egenix.com/
>>> mxODBC, mxDateTime, mxTextTools ...http://python.egenix.com/

: Try our mxODBC.Connect Python Database Interface for free ! ::

   eGenix.com Software, Skills and Services GmbH  Pastor-Loeh-Str.48
D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg
   Registered at Amtsgericht Duesseldorf: HRB 46611
   http://www.egenix.com/company/contact/
___
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

Re: [Python-Dev] [python-committers] Do we need to sign Windows files with GnuPG?

34 matches

Site Navigation

Mail list logo

Footer information