Include sha256 hashes of release downloads in announcement communications #90235
Comments
|
The announcement email list (https://mail.python.org/archives/list/python-announce-list@python.org/) and other places we make announcements beyond just the release pages like https://www.python.org/downloads/release/python-3101/ should include a list of sha256 hashes of the release binaries in the announcement text. This serves as an alternative confirmation that nothing has changed as such announcements are widely distributed and archived by independent parties and individuals and can thus convey a level of trust that a hash listed on the downloads page cannot (where an attacker would simply modify both). Yes there is a gpg signature on the downloads. I encourage people to use that. But this provides an alternate distributed mechanism to verify that nothing has changed at all since the release announcement. Something a gpg signature cannot fully do (consider this protection against the possibility of new signed binary being put into its place by a compromised key/signer/builder/RM before anyone happens to notice and poke around). A simple table of: filename.tar.gz | sha256 hash At the end of the announcement email/post would suffice. Less of an issue on source packages as those can be verified against the git repo. But it's nice for people to know if binaries change without an announcement and explanation and is easy for us to provide. Bonus points if the release announcement email body itself is signed (if that is even feasible per our release signing GPG key management). [context: see recent python-dev subject: Python release announcement format] |
|
|
Note: these values reflect the state of the issue at the time it was migrated and might not reflect the current state.
Show more details
GitHub fields:
bugs.python.org fields:
The text was updated successfully, but these errors were encountered: