Roger Binns: > The Windows Python distribution is signed by PGP and the normal Microsoft > way using a Verisign class 3 cert. (If you read their issuer statement it > ultimately says the cert isn't worth the bits it is printed on :-) One of > those certs is $500 per year which is out of the question for me.
Code signing certificates that will be be valid for Windows Authenticode cost $129 per year through CodeProject http://www.codeproject.com/services/certificates/index.aspx > Does anyone have any other suggestions? Has the PSF considered running a > certificate authority for extension developers, and other Python developers > for that matter? I'd like to see a certificate authority for open source projects based mainly on project reputation and longevity. There may need to be some payment to avoid flooding the CA with invalid requests - say $30 per year. It would be great if this CA was recognised by Microsoft and Apple as well as Linux and BSD distributions. There are some issues about identity here. Should the certificate be for the project, an individual, or an individual within a project? You want to know that PyExt1 comes from the genuine Ext1 project but the build will commonly be initiated by an individual who may later be found to be malicious. The Ext1 project should be able to revoke "Mal Icious of Ext1" and have future releases signed by "Trust Worthy of Ext1". Neil -- http://mail.python.org/mailman/listinfo/python-list
