RetroSearch Browse

Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from http://mail.python.org/pipermail/python-dev/attachments/20150403/017d0759/attachment.html below:

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1256">
<meta name="Generator" content="Microsoft Exchange Server">
<style></style>
</head>
<body>
<div>
<div>
<div style="font-family:Calibri,sans-serif; font-size:11pt">The thing is, that's exactly the same goodness as Authenticode gives, except everyone gets that for free and meanwhile you're the only one who has admitted to using GPG on Windows :) 
 
Basically, what I want to hear is that GPG sigs provide significantly better protection than hashes (and I can provide better than MD5 for all files if it's useful), taking into consideration that (I assume) I'd have to obtain a signing key for GPG and unless
there's a CA involved like there is for Authenticode, there's no existing trust in that key. 
 
Cheers, 
Steve 
 
Top-posted from my Windows Phone</div>
</div>
<div dir="ltr">
<hr>
From:
<a href="mailto:mal@egenix.com">M.-A. Lemburg</a> 
Sent:
ý4/ý3/ý2015 10:55 
To:
<a href="mailto:Steve.Dower@microsoft.com">Steve Dower</a>;
<a href="mailto:larry@hastings.org">Larry Hastings</a>; <a href="mailto:python-dev@python.org">
Python Dev</a>; <a href="mailto:python-committers@python.org">python-committers</a> 
Subject:
Re: [python-committers] [Python-Dev] Do we need to sign Windows files with GnuPG? 
 
</div>
</div>

<div class="PlainText">On 03.04.2015 19:35, Steve Dower wrote: 
>> My Windows development days are firmly behind me. So I don't really have an 
>> opinion here. So I put it to you, Windows Python developers: do you care about 
>> GnuPG signatures on Windows-specific files? Or do you not care? 
> 
> The later replies seem to suggest that they are general goodness that nobody on Windows will use. If someone convinces me (or steamrolls me, that's fine too) that the goodness of GPG is better than a hash then I'll look into adding it into the process. Otherwise
I'll happily add hash generation into the upload process (which I'm going to do anyway for the ones displayed on the download page). 
 
FWIW: I regularly check the GPG sigs on all important downloaded 
files, regardless of which platform they target, including the 
Windows installers for Python or any other Windows installers 
I use which provide such sigs. 
 
The reason is simple: 
The signature is a proof of authenticity which is not bound to 
a particular file format or platform and before running .exes 
it's good to know that they were built by the right people and 
not manipulated by trojans, viruses or malicious proxies. 
 
Is that a good enough reason to continue providing the GPG 
sigs or do you need more proof of goodness ? ;-) 
 
-- 
Marc-Andre Lemburg 
eGenix.com 
 
Professional Python Services directly from the Source 
>>> Python/Zope Consulting and Support ... <a href="http://www.egenix.com/">
http://www.egenix.com/</a> 
>>> mxODBC.Zope.Database.Adapter ... <a href="http://zope.egenix.com/">
http://zope.egenix.com/</a> 
>>> mxODBC, mxDateTime, mxTextTools ... <a href="http://python.egenix.com/">
http://python.egenix.com/</a> 
________________________________________________________________________ 
 
::: Try our new mxODBC.Connect Python Database Interface for free ! :::: 
 
 
 eGenix.com Software, Skills and Services GmbH Pastor-Loeh-Str.48 
 D-40764 Langenfeld, Germany. CEO Dipl.-Math. Marc-Andre Lemburg 
 Registered at Amtsgericht Duesseldorf: HRB 46611 
 <a href="http://www.egenix.com/company/contact/">http://www.egenix.com/company/contact/</a> 
</div>

</body>
</html>

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4