[issue25255] Security of CPython Builds

2015-09-28 Thread R. David Murray
Changes by R. David Murray : -- resolution: -> not a bug stage: -> resolved status: open -> closed ___ Python tracker ___ ___ Python

[issue25255] Security of CPython Builds

2015-09-28 Thread phelix
phelix added the comment: Thank you all for your responses. > Having read your link [2] above (at least briefly), it seems the aim is to > compare hashes of builds from multiple people to verify that nobody > maliciously modified the binaries. Exactly. Also it might protect the people actually

[issue25255] Security of CPython Builds

2015-09-28 Thread Steve Dower
Steve Dower added the comment: Having read your link [2] above (at least briefly), it seems the aim is to compare hashes of builds from multiple people to verify that nobody maliciously modified the binaries. That isn't going to work for Windows because we cryptographically sign the binaries.

[issue25255] Security of CPython Builds

2015-09-28 Thread Steve Dower
Steve Dower added the comment: I do need to contribute some PEP 101 updates at some point, since the Windows build no longer resembles what is described there, but it's mostly about configuration. * Install x, y, z * Obtain extra externals * Install signing certificate * Configure non-default

[issue25255] Security of CPython Builds

2015-09-28 Thread R. David Murray
R. David Murray added the comment: Well, making the build process more automated would help us, so if someone wants to help make that kind of thing happen it will probably be well received. The platform installer builds (OSX, Windows) are tricky things, though, and a fair amount of knowledge

[issue25255] Security of CPython Builds

2015-09-28 Thread phelix
phelix added the comment: @Brett: Thanks for the info, I had not noticed PEP 101 had been updated. @Paul: Ah, I had not found PCBuild/readme.txt yet. I did look at the devguide but I got the impression it was mostly meant for debug builds. > Basically through trusting the people who produce th

[issue25255] Security of CPython Builds

2015-09-28 Thread Paul Moore
Paul Moore added the comment: Also, the Windows build process is documented in PCBuild/readme.txt - see https://hg.python.org/cpython/file/tip/PCbuild/readme.txt More generally the devguide documents how to build CPython - https://docs.python.org/devguide/setup.html#compiling --

[issue25255] Security of CPython Builds

2015-09-28 Thread Brett Cannon
Brett Cannon added the comment: And just as an FYI, while PEP 101 was created 14 years ago, it has been updated regularly (last edit was 13 days ago): https://hg.python.org/peps/log/tip/pep-0101.txt -- nosy: +brett.cannon ___ Python tracker

[issue25255] Security of CPython Builds

2015-09-28 Thread Steve Dower
Steve Dower added the comment: Basically through trusting the people who produce the builds. You can also verify the hg changeset by looking at sys.version and matching it to the tagged release. If there are any differences between the tagged commit and the one used to build, there will be a "

[issue25255] Security of CPython Builds

2015-09-28 Thread phelix bitcoin
New submission from phelix bitcoin: A description of the build and release process for CPython binaries (e.g. for Windows) would be great. Maybe I am missing something? I could not find any information other than the 14 years old PEP 101 which says: "Notify the experts that they can start buil