On Fri, Apr 5, 2013 at 4:47 PM, Laurens Van Houtven <_...@lvh.cc> wrote:
> As far as I can tell, the defaults are currently beyond plain old DSA.
>
Whoops, that's not entirely correct, as exarkun was nice enough to point
out to me. Apparently, it's beyond plain old DSA *only if you ask for DSA*.
On Fri, Apr 5, 2013 at 3:12 PM, Tristan Seligmann
wrote:
> DSA keys larger than 1024 bit(?) are "non-standard", but I think the
> bigger issue is that DSA only supports 160-bit hashes; larger hashes will
> be truncated, which means you don't gain much by using SHA-256/SHA-512/etc.
> instead of SHA
On Fri, Apr 5, 2013 at 2:32 AM, Laurens Van Houtven <_...@lvh.cc> wrote:
> DSA, by default, used SHA-1; recent revisions support SHA-2. A few years
> ago, GnuPG and several big users including Debian and Apache started
> suggesting the move to RSA instead of DSA keys. The algorithms vary a bit
> i
Le 05/04/2013 01:41, Glyph a écrit :
>
> On Apr 4, 2013, at 9:53 AM, exar...@twistedmatrix.com wrote:
>
>> On 04:00 pm, the...@free.fr wrote:
>>> Le 04/04/2013 13:14, exar...@twistedmatrix.com a écrit :
On 10:18 am, the...@free.fr wrote:
> OK. I've opened http://pad.lv/1164403 for the re
On Thu, Apr 4, 2013 at 8:15 PM, Tristan Seligmann
wrote:
> In fact, I believe there is no such thing as "signing the whole binary
> blob". When you use something like gpg --sign, what is actually signed with
> a public key signature algorithm is a hash of the content anyway. Thus,
> assuming you u
On Apr 4, 2013, at 11:15 AM, Tristan Seligmann wrote:
> In fact, I believe there is no such thing as "signing the whole binary blob".
> When you use something like gpg --sign, what is actually signed with a public
> key signature algorithm is a hash of the content anyway. Thus, assuming you
>
On Apr 4, 2013, at 9:53 AM, exar...@twistedmatrix.com wrote:
> On 04:00 pm, the...@free.fr wrote:
>> Le 04/04/2013 13:14, exar...@twistedmatrix.com a écrit :
>>> On 10:18 am, the...@free.fr wrote:
OK. I've opened http://pad.lv/1164403 for the required changes in our
tool. I'll update th
On Thu, Apr 4, 2013 at 12:04 AM, Glyph wrote:
> Security-wise, signing an actually-secure hash is not that much different
> than signing the tarballs themselves. Signing MD5 hashes, on the other
> hand, is useless as a security measure.
>
> I think we should carry on with signing the list of sig
On 04:00 pm, the...@free.fr wrote:
>Le 04/04/2013 13:14, exar...@twistedmatrix.com a écrit :
>>On 10:18 am, the...@free.fr wrote:
>>>OK. I've opened http://pad.lv/1164403 for the required changes in our
>>>tool. I'll update the release document once that's done.
>>
>>Hm. As far as the download/rel
Le 04/04/2013 13:14, exar...@twistedmatrix.com a écrit :
> On 10:18 am, the...@free.fr wrote:
>> OK. I've opened http://pad.lv/1164403 for the required changes in our
>> tool. I'll update the release document once that's done.
>
> Hm. As far as the download/release trac macro goes, the purpose of
On 10:18 am, the...@free.fr wrote:
>Le 03/04/2013 23:55, Glyph a écrit :
>>
>>On Apr 3, 2013, at 9:14 AM, Thomas Hervé wrote:
>>>* Glyph mumbled something about sha sums of the release files,
>>>instead
>>>of md5. Should we pursue that? We may need to update some trac
>>>integration code.
>>
>>We
Le 03/04/2013 23:55, Glyph a écrit :
>
> On Apr 3, 2013, at 9:14 AM, Thomas Hervé wrote:
>
>> Hey everyone,
>>
>> During the latest release process, I was left with several things to
>> clarify, so now that it's done I think it's time:
>>
>> * We started building wheels for Windows. What do we d
On 04/03/2013 10:58 PM, Laurens Van Houtven wrote:
> Is the accidental corruption thing a real risk? I thought that was the
> point of, say, TCP checksums :) Perhaps I'm just mistaken as to how
> often his happens in the wild...
TCP checksums absolutely can and do fail to protect you from in-flig
On Wed, Apr 3, 2013 at 11:58 PM, Laurens Van Houtven <_...@lvh.cc> wrote:
> Is the accidental corruption thing a real risk? I thought that was the
> point of, say, TCP checksums :) Perhaps I'm just mistaken as to how often
> his happens in the wild...
>
TCP checksums don't protect you against cor
On Apr 3, 2013, at 3:23 PM, Laurens Van Houtven <_...@lvh.cc> wrote:
> On Thu, Apr 4, 2013 at 12:04 AM, Glyph wrote:
> The release manager already _does_ sign something. Since PyCon, we do have
> much better trust web integration, which is great, but that's not really
> relevant to this discu
On Thu, Apr 4, 2013 at 12:04 AM, Glyph wrote:
> The release manager already _does_ sign something. Since PyCon, we do
> have much better trust web integration, which is great, but that's not
> really relevant to this discussion, which is just about changing what we
> sign and how it gets signed.
On Apr 3, 2013, at 1:51 PM, exar...@twistedmatrix.com wrote:
> On 04:36 pm, _...@lvh.cc wrote:
>> On Wed, Apr 3, 2013 at 6:14 PM, Thomas Hervé wrote:
>>> * Glyph mumbled something about sha sums of the release files,
>>> instead
>>> of md5. Should we pursue that? We may need to update some trac
On Wed, Apr 3, 2013 at 10:51 PM, wrote:
> The question relates to step 4 beneath "Cut the tarballs & installers":
>
> http://twistedmatrix.com/trac/wiki/ReleaseProcess#Cutthetarballsinstallers
>
> The checksums are intended to let people verify their download was
> neither accidentally corrupted
On Apr 3, 2013, at 9:14 AM, Thomas Hervé wrote:
> Hey everyone,
>
> During the latest release process, I was left with several things to
> clarify, so now that it's done I think it's time:
>
> * We started building wheels for Windows. What do we do with me, should
> we upload it to pypi? What
On 04:36 pm, _...@lvh.cc wrote:
>On Wed, Apr 3, 2013 at 6:14 PM, Thomas Hervé wrote:
>> * Glyph mumbled something about sha sums of the release files,
>>instead
>>of md5. Should we pursue that? We may need to update some trac
>>integration code.
>
>Depends, what's the goal of the checksums? If i
On Wed, Apr 3, 2013 at 9:14 AM, Thomas Hervé wrote:
> * Glyph mumbled something about sha sums of the release files, instead
> of md5. Should we pursue that? We may need to update some trac
> integration code.
>
>
+1 for SHA-256 or SHA-512. High profile collision attacks against MD5 have
happene
On Wed, Apr 3, 2013 at 6:14 PM, Thomas Hervé wrote:
> * Glyph mumbled something about sha sums of the release files, instead
> of md5. Should we pursue that? We may need to update some trac
> integration code.
>
Depends, what's the goal of the checksums? If it's "we want people to be
able to ch
22 matches
Mail list logo
